Vulnerability-Lookup

CNVD-2020-49557

Vulnerability from cnvd - Published: 2020-08-28

Title

Red Gate Software Redgate SQL Monitor信息泄露漏洞

Description

Red Gate Software Redgate SQL Monitor是英国Red Gate Software公司的一款数据库监控工具。该产品支持Microsoft SQL Server监视、警报和分析等。 Red Gate Software Redgate SQL Monitor 7.1.4版本至10.1.6版本中存在安全漏洞，该漏洞源于在关闭TLS安全证书检查时，影响的范围会超出Configuration ＞ Notifications页面中所规定的范围。攻击者可利用该漏洞进行中间人攻击。

Severity

中

Patch Name

Red Gate Software Redgate SQL Monitor信息泄露漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.red-gate.com/privacy-and-security/vulnerabilities/2020-07-08-sql-monitor

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-15526

Impacted products

Name
red-gate Red Gate Software Redgate SQL Monitor >=7.1.4，<=10.1.6

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-15526",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-15526"
    }
  },
  "description": "Red Gate Software Redgate SQL Monitor\u662f\u82f1\u56fdRed Gate Software\u516c\u53f8\u7684\u4e00\u6b3e\u6570\u636e\u5e93\u76d1\u63a7\u5de5\u5177\u3002\u8be5\u4ea7\u54c1\u652f\u6301Microsoft SQL Server\u76d1\u89c6\u3001\u8b66\u62a5\u548c\u5206\u6790\u7b49\u3002\n\nRed Gate Software Redgate SQL Monitor 7.1.4\u7248\u672c\u81f310.1.6\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u5173\u95edTLS\u5b89\u5168\u8bc1\u4e66\u68c0\u67e5\u65f6\uff0c\u5f71\u54cd\u7684\u8303\u56f4\u4f1a\u8d85\u51faConfiguration \uff1e Notifications\u9875\u9762\u4e2d\u6240\u89c4\u5b9a\u7684\u8303\u56f4\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8fdb\u884c\u4e2d\u95f4\u4eba\u653b\u51fb\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.red-gate.com/privacy-and-security/vulnerabilities/2020-07-08-sql-monitor",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-49557",
  "openTime": "2020-08-28",
  "patchDescription": "Red Gate Software Redgate SQL Monitor\u662f\u82f1\u56fdRed Gate Software\u516c\u53f8\u7684\u4e00\u6b3e\u6570\u636e\u5e93\u76d1\u63a7\u5de5\u5177\u3002\u8be5\u4ea7\u54c1\u652f\u6301Microsoft SQL Server\u76d1\u89c6\u3001\u8b66\u62a5\u548c\u5206\u6790\u7b49\u3002\r\n\r\nRed Gate Software Redgate SQL Monitor 7.1.4\u7248\u672c\u81f310.1.6\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u5173\u95edTLS\u5b89\u5168\u8bc1\u4e66\u68c0\u67e5\u65f6\uff0c\u5f71\u54cd\u7684\u8303\u56f4\u4f1a\u8d85\u51faConfiguration \uff1e Notifications\u9875\u9762\u4e2d\u6240\u89c4\u5b9a\u7684\u8303\u56f4\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8fdb\u884c\u4e2d\u95f4\u4eba\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Red Gate Software Redgate SQL Monitor\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "red-gate Red Gate Software Redgate SQL Monitor \u003e=7.1.4\uff0c\u003c=10.1.6"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-15526",
  "serverity": "\u4e2d",
  "submitTime": "2020-07-12",
  "title": "Red Gate Software Redgate SQL Monitor\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2020-15526 (GCVE-0-2020-15526)

Vulnerability from cvelistv5 – Published: 2020-07-09 16:40 – Updated: 2024-08-04 13:15

Summary

In Redgate SQL Monitor 7.1.4 through 10.1.6 (inclusive), the scope for disabling some TLS security certificate checks can extend beyond that defined by various options on the Configuration > Notifications pages to disable certificate checking for alert notifications. These TLS security checks are also ignored during monitoring of VMware machines. This would make SQL Monitor vulnerable to potential man-in-the-middle attacks when sending alert notification emails, posting to Slack or posting to webhooks. The vulnerability is fixed in version 10.1.7.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

https://www.red-gate.com/privacy-and-security/vul…

x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:15:20.780Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.red-gate.com/privacy-and-security/vulnerabilities/2020-07-08-sql-monitor"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Redgate SQL Monitor 7.1.4 through 10.1.6 (inclusive), the scope for disabling some TLS security certificate checks can extend beyond that defined by various options on the Configuration \u003e Notifications pages to disable certificate checking for alert notifications. These TLS security checks are also ignored during monitoring of VMware machines. This would make SQL Monitor vulnerable to potential man-in-the-middle attacks when sending alert notification emails, posting to Slack or posting to webhooks. The vulnerability is fixed in version 10.1.7."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-09T16:40:52.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.red-gate.com/privacy-and-security/vulnerabilities/2020-07-08-sql-monitor"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-15526",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Redgate SQL Monitor 7.1.4 through 10.1.6 (inclusive), the scope for disabling some TLS security certificate checks can extend beyond that defined by various options on the Configuration \u003e Notifications pages to disable certificate checking for alert notifications. These TLS security checks are also ignored during monitoring of VMware machines. This would make SQL Monitor vulnerable to potential man-in-the-middle attacks when sending alert notification emails, posting to Slack or posting to webhooks. The vulnerability is fixed in version 10.1.7."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.red-gate.com/privacy-and-security/vulnerabilities/2020-07-08-sql-monitor",
              "refsource": "CONFIRM",
              "url": "https://www.red-gate.com/privacy-and-security/vulnerabilities/2020-07-08-sql-monitor"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-15526",
    "datePublished": "2020-07-09T16:40:52.000Z",
    "dateReserved": "2020-07-04T00:00:00.000Z",
    "dateUpdated": "2024-08-04T13:15:20.780Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-49557

CVE-2020-15526 (GCVE-0-2020-15526)

Tags

Sightings

Nomenclature