CVE-2024-12727 (GCVE-0-2024-12727)

Vulnerability from cvelistv5 – Published: 2024-12-19 20:26 – Updated: 2024-12-21 04:55
VLAI?
Summary
A pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to the reporting database and can lead to remote code execution if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode.
Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
Vendor Product Version
Sophos Sophos Firewall Affected: 0 , < 21.0 MR1 (21.0.1) (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-12727",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-20T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-21T04:55:59.875Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Sophos Firewall",
          "vendor": "Sophos",
          "versions": [
            {
              "lessThan": "21.0 MR1 (21.0.1)",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to the reporting database and can lead to remote code execution if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode.\u003c/p\u003e"
            }
          ],
          "value": "A pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to the reporting database and can lead to remote code execution if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-108",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-108 Command Line Execution through SQL Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T20:33:19.807Z",
        "orgId": "526a354d-e866-4174-ae7d-bac848e5c4c5",
        "shortName": "Sophos"
      },
      "references": [
        {
          "url": "https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "526a354d-e866-4174-ae7d-bac848e5c4c5",
    "assignerShortName": "Sophos",
    "cveId": "CVE-2024-12727",
    "datePublished": "2024-12-19T20:26:59.325Z",
    "dateReserved": "2024-12-17T18:21:52.796Z",
    "dateUpdated": "2024-12-21T04:55:59.875Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to the reporting database and can lead to remote code execution if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode.\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad de inyecci\\u00f3n SQL previa a la autenticaci\\u00f3n en la funci\\u00f3n de protecci\\u00f3n de correo electr\\u00f3nico de las versiones de Sophos Firewall anteriores a 21.0 MR1 (21.0.1) permite el acceso a la base de datos de informes y puede provocar la ejecuci\\u00f3n remota de c\\u00f3digo si se habilita una configuraci\\u00f3n espec\\u00edfica de Secure PDF eXchange (SPX) en combinaci\\u00f3n con el firewall ejecut\\u00e1ndose en modo de alta disponibilidad (HA).\"}]",
      "id": "CVE-2024-12727",
      "lastModified": "2024-12-19T21:15:07.740",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-alert@sophos.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2024-12-19T21:15:07.740",
      "references": "[{\"url\": \"https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce\", \"source\": \"security-alert@sophos.com\"}]",
      "sourceIdentifier": "security-alert@sophos.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-alert@sophos.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-12727\",\"sourceIdentifier\":\"security-alert@sophos.com\",\"published\":\"2024-12-19T21:15:07.740\",\"lastModified\":\"2025-11-12T19:27:32.093\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to the reporting database and can lead to remote code execution if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de inyecci\u00f3n SQL previa a la autenticaci\u00f3n en la funci\u00f3n de protecci\u00f3n de correo electr\u00f3nico de las versiones de Sophos Firewall anteriores a 21.0 MR1 (21.0.1) permite el acceso a la base de datos de informes y puede provocar la ejecuci\u00f3n remota de c\u00f3digo si se habilita una configuraci\u00f3n espec\u00edfica de Secure PDF eXchange (SPX) en combinaci\u00f3n con el firewall ejecut\u00e1ndose en modo de alta disponibilidad (HA).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-alert@sophos.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-alert@sophos.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:sophos:firewall_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"21.0.1\",\"matchCriteriaId\":\"2F61096C-54B8-491E-963C-4461F0657EE8\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:sophos:firewall:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F728103-324C-4F34-9EE6-6E922018A2EB\"}]}]}],\"references\":[{\"url\":\"https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce\",\"source\":\"security-alert@sophos.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-12727\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-20T17:02:56.791407Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-20T17:02:58.053Z\"}}], \"cna\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-108\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-108 Command Line Execution through SQL Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Sophos\", \"product\": \"Sophos Firewall\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"21.0 MR1 (21.0.1)\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to the reporting database and can lead to remote code execution if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eA pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to the reporting database and can lead to remote code execution if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"526a354d-e866-4174-ae7d-bac848e5c4c5\", \"shortName\": \"Sophos\", \"dateUpdated\": \"2024-12-19T20:33:19.807Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-12727\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-21T04:55:59.875Z\", \"dateReserved\": \"2024-12-17T18:21:52.796Z\", \"assignerOrgId\": \"526a354d-e866-4174-ae7d-bac848e5c4c5\", \"datePublished\": \"2024-12-19T20:26:59.325Z\", \"assignerShortName\": \"Sophos\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.