From 5fa8aac900be416c3b3fa25d85f54d58f042e16c Mon Sep 17 00:00:00 2001 From: AvayaSecurityAlerts Date: Thu, 4 Apr 2019 09:39:14 -0600 Subject: [PATCH 1/3] Initial CVEs for ASA-2019-058 --- 2019/7xxx/CVE-2019-7001.json | 107 ++++++++++++++++++++++++++++++----- 1 file changed, 92 insertions(+), 15 deletions(-) diff --git a/2019/7xxx/CVE-2019-7001.json b/2019/7xxx/CVE-2019-7001.json index 55b06e1beb7..aa7acf55039 100644 --- a/2019/7xxx/CVE-2019-7001.json +++ b/2019/7xxx/CVE-2019-7001.json @@ -1,18 +1,95 @@ { - "CVE_data_meta": { - "ASSIGNER": "cve@mitre.org", - "ID": "CVE-2019-7001", - "STATE": "RESERVED" - }, - "data_format": "MITRE", - "data_type": "CVE", - "data_version": "4.0", - "description": { - "description_data": [ + "CVE_data_meta": { + "ASSIGNER": "securityalerts@avaya.com", + "DATE_PUBLIC": "2019-04-04T00:00:00.000Z", + "ID": "CVE-2019-7001", + "STATE": "DRAFT", + "TITLE": "Avaya IPOCC WebUI SQL Injection" + }, + "affects": { + "vendor": { + "vendor_data": [ { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "product": { + "product_data": [ + { + "product_name": "IP Office Contact Center", + "version": { + "version_data": [ + { + "affected": "=", + "version_name": "10.0.x", + "version_value": "10.x" + }, + { + "affected": "<", + "version_name": "10.1.x", + "version_value": "10.1.2.2.2-11201.1906" + }, + { + "affected": "=", + "version_name": "9.x", + "version_value": "9.x" + } + ] + } + } + ] + }, + "vendor_name": "Avaya" } - ] - } -} \ No newline at end of file + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "A SQL injection vulnerability in the WebUI component of IP Office Contact Center could allow an authenticated attacker to retrieve or alter sensitive data related to other users on the system. Affected versions of IP Office Contact Center include all 9.x and 10.x versions prior to 10.1.2.2.2-11201.1906. Unsupported versions not listed here were not evaluated." + } + ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.9, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://downloads.avaya.com/css/P8/documents/101056762", + "refsource": "CONFIRM", + "url": "https://downloads.avaya.com/css/P8/documents/101056762" + } + ] + }, + "source": { + "advisory": "ASA-2019-058" + } +} From 895927a992f9f24a8cb6c48e766543ea6de1970d Mon Sep 17 00:00:00 2001 From: AvayaSecurityAlerts Date: Thu, 4 Apr 2019 09:42:49 -0600 Subject: [PATCH 2/3] Initial CVEs for ASA-2019-058 --- 2019/7xxx/CVE-2019-7001.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/2019/7xxx/CVE-2019-7001.json b/2019/7xxx/CVE-2019-7001.json index aa7acf55039..b0068f30808 100644 --- a/2019/7xxx/CVE-2019-7001.json +++ b/2019/7xxx/CVE-2019-7001.json @@ -3,7 +3,7 @@ "ASSIGNER": "securityalerts@avaya.com", "DATE_PUBLIC": "2019-04-04T00:00:00.000Z", "ID": "CVE-2019-7001", - "STATE": "DRAFT", + "STATE": "PUBLIC", "TITLE": "Avaya IPOCC WebUI SQL Injection" }, "affects": { @@ -24,7 +24,7 @@ { "affected": "<", "version_name": "10.1.x", - "version_value": "10.1.2.2.2-11201.1906" + "version_value": "10.1.2.2.2-11201.1908" }, { "affected": "=", From fd861f72eb2fef0a2ce47fe6aa6390988cbdaeef Mon Sep 17 00:00:00 2001 From: AvayaSecurityAlerts Date: Thu, 4 Apr 2019 09:43:49 -0600 Subject: [PATCH 3/3] update IPOCC patch number for ASA-2019-058 --- 2019/7xxx/CVE-2019-7001.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/2019/7xxx/CVE-2019-7001.json b/2019/7xxx/CVE-2019-7001.json index b0068f30808..d3ae229b5e8 100644 --- a/2019/7xxx/CVE-2019-7001.json +++ b/2019/7xxx/CVE-2019-7001.json @@ -48,7 +48,7 @@ "description_data": [ { "lang": "eng", - "value": "A SQL injection vulnerability in the WebUI component of IP Office Contact Center could allow an authenticated attacker to retrieve or alter sensitive data related to other users on the system. Affected versions of IP Office Contact Center include all 9.x and 10.x versions prior to 10.1.2.2.2-11201.1906. Unsupported versions not listed here were not evaluated." + "value": "A SQL injection vulnerability in the WebUI component of IP Office Contact Center could allow an authenticated attacker to retrieve or alter sensitive data related to other users on the system. Affected versions of IP Office Contact Center include all 9.x and 10.x versions prior to 10.1.2.2.2-11201.1908. Unsupported versions not listed here were not evaluated." } ] },