SQL Injection on IDS parsing of malformed asset fields in Guardian/CMC >= 22.6.0 before 22.6.3 and 23.1.0
CVE-2023-29245

9.2CRITICAL

Key Information:

Vendor: Nozomi Networks
Status: Guardian; Cmc
Vendor: CVE Published:; 19 September 2023

🔔 Create Nozomi Networks Vulnerability Alert

What is CVE-2023-29245?

A SQL Injection vulnerability exists in Nozomi Networks Guardian and CMC, attributable to improper input validation in certain fields of the Asset Intelligence functionality. This flaw may allow unauthenticated attackers to send crafted network packets, potentially permitting them to execute arbitrary SQL commands on the database management system (DBMS). Consequently, malicious actors with advanced knowledge of the system could extract sensitive information, modify database structure and data, or disrupt system availability.

Affected Version(s)

CMC 22.6.0 < 22.6.3

CMC 23.0.0 < 23.1.0

Guardian 22.6.0 < 22.6.3

References

https://security.nozominetworks.com/NN-2023:11-01

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 19, 2023
Vulnerability Reserved
Jun 12, 2023

Credit

This issue was found by Nozomi Networks during an internal investigation.