cnvd - cnvd-2024-44858

CNVD-2024-44858

Vulnerability from cnvd - Published: 2024-11-14

Title

SuiteCRM SQL注入漏洞（CNVD-2024-44858）

Description

SuiteCRM是一款开源的企业级客户关系管理（CRM）软件。 SuiteCRM存在SQL注入漏洞，该漏洞是由于输入值验证不足导致的。攻击者可利用该漏洞执行SQL命令，进而可能获取敏感信息或操纵数据库。

Severity

高

Patch Name

SuiteCRM SQL注入漏洞（CNVD-2024-44858）的补丁

Patch Description

SuiteCRM是一款开源的企业级客户关系管理（CRM）软件。 SuiteCRM存在SQL注入漏洞，该漏洞是由于输入值验证不足导致的。攻击者可利用该漏洞执行SQL命令，进而可能获取敏感信息或操纵数据库。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已提供漏洞修复方案，请关注厂商主页更新： https://github.com/salesagility/SuiteCRM/releases/tag/v7.14.6

Reference

https://nvd.nist.gov/vuln/detail/CVE-2024-50332

Impacted products

Name
['SuiteCRM SuiteCRM <7.14.6', 'SuiteCRM SuiteCRM >=8.0.0，<8.7.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-50332",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-50332"
    }
  },
  "description": "SuiteCRM\u662f\u4e00\u6b3e\u5f00\u6e90\u7684\u4f01\u4e1a\u7ea7\u5ba2\u6237\u5173\u7cfb\u7ba1\u7406\uff08CRM\uff09\u8f6f\u4ef6\u3002\n\nSuiteCRM\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8e\u8f93\u5165\u503c\u9a8c\u8bc1\u4e0d\u8db3\u5bfc\u81f4\u7684\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884cSQL\u547d\u4ee4\uff0c\u8fdb\u800c\u53ef\u80fd\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u6216\u64cd\u7eb5\u6570\u636e\u5e93\u3002",
  "formalWay": "\u5382\u5546\u5df2\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://github.com/salesagility/SuiteCRM/releases/tag/v7.14.6",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-44858",
  "openTime": "2024-11-14",
  "patchDescription": "SuiteCRM\u662f\u4e00\u6b3e\u5f00\u6e90\u7684\u4f01\u4e1a\u7ea7\u5ba2\u6237\u5173\u7cfb\u7ba1\u7406\uff08CRM\uff09\u8f6f\u4ef6\u3002\r\n\r\nSuiteCRM\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8e\u8f93\u5165\u503c\u9a8c\u8bc1\u4e0d\u8db3\u5bfc\u81f4\u7684\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884cSQL\u547d\u4ee4\uff0c\u8fdb\u800c\u53ef\u80fd\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u6216\u64cd\u7eb5\u6570\u636e\u5e93\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SuiteCRM SQL\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2024-44858\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "SuiteCRM SuiteCRM \u003c7.14.6",
      "SuiteCRM SuiteCRM \u003e=8.0.0\uff0c\u003c8.7.1"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-50332",
  "serverity": "\u9ad8",
  "submitTime": "2024-11-08",
  "title": "SuiteCRM SQL\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2024-44858\uff09"
}

CVE-2024-50332 (GCVE-0-2024-50332)

Vulnerability from cvelistv5 – Published: 2024-11-05 18:40 – Updated: 2024-11-05 18:58

Title

Authenticated Blind SQL Injection in DeleteRelationShip in SuiteCRM

Summary

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Insufficient input value validation causes Blind SQL injection in DeleteRelationShip. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

URL

Tags

https://github.com/salesagility/SuiteCRM/security…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	salesagility	SuiteCRM	Affected: < 7.14.6 Affected: >= 8.0.0, < 8.7.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "suitecrm",
            "vendor": "salesagility",
            "versions": [
              {
                "lessThan": "7.14.6",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "8.7.1",
                "status": "affected",
                "version": "8.0.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-50332",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-05T18:57:39.892494Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-05T18:58:13.409Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SuiteCRM",
          "vendor": "salesagility",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.14.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.0.0, \u003c 8.7.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Insufficient input value validation causes Blind SQL injection in DeleteRelationShip. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T18:40:14.977Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-53xh-mjmq-j35p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-53xh-mjmq-j35p"
        }
      ],
      "source": {
        "advisory": "GHSA-53xh-mjmq-j35p",
        "discovery": "UNKNOWN"
      },
      "title": "Authenticated Blind SQL Injection in DeleteRelationShip in SuiteCRM"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-50332",
    "datePublished": "2024-11-05T18:40:14.977Z",
    "dateReserved": "2024-10-22T17:54:40.953Z",
    "dateUpdated": "2024-11-05T18:58:13.409Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2024-44858

CVE-2024-50332 (GCVE-0-2024-50332)

Tags

Sightings

Nomenclature