CVE-2020-16104 (GCVE-0-2020-16104)
Vulnerability from cvelistv5
Published
2020-12-14 19:23
Modified
2024-08-04 13:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - SQL Injection
Summary
SQL Injection vulnerability in Enterprise Data Interface of Gallagher Command Centre allows a remote attacker with 'Edit Enterprise Data Interfaces' privilege to execute arbitrary SQL against a third party database if EDI is configured to import data from this database. This issue affects: Gallagher Command Centre 8.30 versions prior to 8.30.1236(MR1); 8.20 versions prior to 8.20.1166(MR3); 8.10 versions prior to 8.10.1211(MR5); 8.00 versions prior to 8.00.1228(MR6); version 7.90 and prior versions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gallagher | Command Centre |
Version: unspecified < Version: 8.30 < 8.30.1236(MR1) Version: 8.20 < 8.20.1166(MR3) Version: 8.10 < 8.10.1211(MR5) Version: 8.00 < 8.00.1228(MR6) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:37:54.203Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gallagher.com/Security-Advisories/CVE-2020-16104"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Command Centre",
"vendor": "Gallagher",
"versions": [
{
"lessThanOrEqual": "7.90",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "8.30.1236(MR1)",
"status": "affected",
"version": "8.30",
"versionType": "custom"
},
{
"lessThan": "8.20.1166(MR3)",
"status": "affected",
"version": "8.20",
"versionType": "custom"
},
{
"lessThan": "8.10.1211(MR5)",
"status": "affected",
"version": "8.10",
"versionType": "custom"
},
{
"lessThan": "8.00.1228(MR6)",
"status": "affected",
"version": "8.00",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in Enterprise Data Interface of Gallagher Command Centre allows a remote attacker with \u0027Edit Enterprise Data Interfaces\u0027 privilege to execute arbitrary SQL against a third party database if EDI is configured to import data from this database. This issue affects: Gallagher Command Centre 8.30 versions prior to 8.30.1236(MR1); 8.20 versions prior to 8.20.1166(MR3); 8.10 versions prior to 8.10.1211(MR5); 8.00 versions prior to 8.00.1228(MR6); version 7.90 and prior versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-14T19:23:30",
"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"shortName": "Gallagher"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gallagher.com/Security-Advisories/CVE-2020-16104"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "disclosures@gallagher.com",
"ID": "CVE-2020-16104",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Command Centre",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "8.30",
"version_value": "8.30.1236(MR1)"
},
{
"version_affected": "\u003c",
"version_name": "8.20",
"version_value": "8.20.1166(MR3)"
},
{
"version_affected": "\u003c",
"version_name": "8.10",
"version_value": "8.10.1211(MR5)"
},
{
"version_affected": "\u003c",
"version_name": "8.00",
"version_value": "8.00.1228(MR6)"
},
{
"version_affected": "\u003c=",
"version_value": "7.90"
}
]
}
}
]
},
"vendor_name": "Gallagher"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection vulnerability in Enterprise Data Interface of Gallagher Command Centre allows a remote attacker with \u0027Edit Enterprise Data Interfaces\u0027 privilege to execute arbitrary SQL against a third party database if EDI is configured to import data from this database. This issue affects: Gallagher Command Centre 8.30 versions prior to 8.30.1236(MR1); 8.20 versions prior to 8.20.1166(MR3); 8.10 versions prior to 8.10.1211(MR5); 8.00 versions prior to 8.00.1228(MR6); version 7.90 and prior versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.gallagher.com/Security-Advisories/CVE-2020-16104",
"refsource": "MISC",
"url": "https://security.gallagher.com/Security-Advisories/CVE-2020-16104"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"assignerShortName": "Gallagher",
"cveId": "CVE-2020-16104",
"datePublished": "2020-12-14T19:23:30",
"dateReserved": "2020-07-28T00:00:00",
"dateUpdated": "2024-08-04T13:37:54.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2020-16104\",\"sourceIdentifier\":\"disclosures@gallagher.com\",\"published\":\"2020-12-14T20:15:12.247\",\"lastModified\":\"2024-11-21T05:06:47.130\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SQL Injection vulnerability in Enterprise Data Interface of Gallagher Command Centre allows a remote attacker with \u0027Edit Enterprise Data Interfaces\u0027 privilege to execute arbitrary SQL against a third party database if EDI is configured to import data from this database. This issue affects: Gallagher Command Centre 8.30 versions prior to 8.30.1236(MR1); 8.20 versions prior to 8.20.1166(MR3); 8.10 versions prior to 8.10.1211(MR5); 8.00 versions prior to 8.00.1228(MR6); version 7.90 and prior versions.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de inyecci\u00f3n SQL en Enterprise Data Interface de Gallagher Command Centre, permite a un atacante remoto con privilegio de \\\"Edit Enterprise Data Interfaces\\\" ejecutar un SQL arbitrario contra una base de datos de terceros si EDI est\u00e1 configurado para importar datos de esta base de datos.\u0026#xa0;Este problema afecta a: Gallagher Command Center versiones 8.30 anteriores a 8.30.1236(MR1);\u0026#xa0;versiones 8.20 anteriores a 8.20.1166(MR3);\u0026#xa0;versiones 8.10 anteriores a 8.10.1211 (MR5);\u0026#xa0;versiones 8.00 anteriores a 8.00.1228(MR6);\u0026#xa0;versi\u00f3n 7.90 y versiones anteriores.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"disclosures@gallagher.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.3,\"impactScore\":5.3},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"disclosures@gallagher.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.90.0\",\"matchCriteriaId\":\"AEC327DD-614D-4F03-B77A-941EFE1269F3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.00\",\"versionEndExcluding\":\"8.00.1228\",\"matchCriteriaId\":\"8AF24E0D-FEF8-4814-A689-50869362C70A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.10\",\"versionEndExcluding\":\"8.10.1211\",\"matchCriteriaId\":\"55BB8603-0AAE-49A3-B127-374F24C498DE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.20\",\"versionEndExcluding\":\"8.20.1166\",\"matchCriteriaId\":\"DE7DBECA-3C79-4346-AB66-B7538B230FE7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.30\",\"versionEndExcluding\":\"8.30.1236\",\"matchCriteriaId\":\"F0DEE3F1-6EE3-4D31-BDF2-648F45C0EC20\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gallagher:command_centre:8.00.1228:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"B5A79B43-E943-44E2-B13A-64F955518C8F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gallagher:command_centre:8.00.1228:maintenance_release6:*:*:*:*:*:*\",\"matchCriteriaId\":\"8032E6B3-B5D4-4009-936B-35CA03CF0256\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gallagher:command_centre:8.10.1211:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"E672F2DB-6C4D-4549-977C-F4EDBCC461E3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gallagher:command_centre:8.10.1211:maintenance_release5:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AE5C9DA-0A88-4A55-9395-7C2D357D9FF9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gallagher:command_centre:8.20.1166:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"3DACA47B-78DA-4ED5-A15B-04556FA11865\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gallagher:command_centre:8.20.1166:maintenance_release3:*:*:*:*:*:*\",\"matchCriteriaId\":\"38E86AF8-3460-4007-B5A2-0E4EA3F42974\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gallagher:command_centre:8.30.1236:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"34322F73-2AEF-4920-96DD-B138125A0660\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gallagher:command_centre:8.30.1236:maintenance_release1:*:*:*:*:*:*\",\"matchCriteriaId\":\"784CE63C-BE80-4111-9A56-6CD03CAE6E0D\"}]}]}],\"references\":[{\"url\":\"https://security.gallagher.com/Security-Advisories/CVE-2020-16104\",\"source\":\"disclosures@gallagher.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.gallagher.com/Security-Advisories/CVE-2020-16104\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…