提出 #383227: Horizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-250: Execution with Unnecessary Privileges情報

タイトルHorizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-250: Execution with Unnecessary Privileges
説明NOTE - This submit shall be embargoed until 14:00 CET on 2024-08-01 - NOTE CVE-2024-38887: An issue in Horizon Business Services Inc. Caterease Software allows a remote attacker to expand control over the operating system from the database due to the execution of commands with unnecessary privileges. Vulnerability Type: CWE-250: Execution with Unnecessary Privileges Vendor of the Product: Horizon Business Services Inc. Affected Product: Caterease Software Affected Versions: 16.0.1.1663 through 24.0.1.2405 Attack Vector: Remote Attack Type: CAPEC-470: Expanding Control over the Operating System from the Database Vulnerability Summary: Caterease Software grants excessive privileges to the default Caterease SQL user by making this user a member of the dbo role in the SQL database. This role grants full administrative access not only to the Caterease Software database but also to all other databases within the SQL server. This misconfiguration means that any action performed by the Caterease Software client, regardless of the actual user's privileges within the application, is executed with administrative-level permissions in the SQL database. Exploiting this vulnerability, attackers can execute unauthorized commands with full administrative rights, leading to unauthorized access to sensitive data, data manipulation, and potential system compromise. Attackers can read, modify, or delete critical data, create new users with elevated privileges, and execute arbitrary SQL commands, which can disrupt database operations. This severely impacts the confidentiality, integrity, and availability of the SQL server and its databases, making it imperative to remediate this vulnerability by properly configuring user roles and privileges. CVSS Base Score: Critical Risk - 9.6 CVSS v3.1 Vector: AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Exploitability Metrics Attack Vector (AV): Adjacent Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None Scope (S): Changed Impact Metrics Confidentiality (C): High Integrity (I): High Availability (A): High
ユーザー
 jTag Labs (UID 51246)
送信2024年07月30日 16:57 (2 年 ago)
モデレーション2024年08月01日 14:15 (2 days later)
ステータス承諾済み
VulDBエントリ273371 [Horizon Business Services Caterease 迄 24.0.1.2405 SQL User 特権昇格]
ポイント17

Want to know what is going to be exploited?

We predict KEV entries!