CVE-2022-24407

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-24407
In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
http://www.openwall.com/lists/oss-security/2022/02/23/4 Mailing List Patch Third Party Advisory
https://github.com/cyrusimap/cyrus-sasl/blob/fdcd13ceaef8de684dc69008011fa865c5b4a3ac/docsrc/sasl/release-notes/2.1/index.rst Release Notes Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00002.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4FIXU75Q6RBNK6UYM7MQ3TCFGXR7AX4U/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H26R4SMGM3WHXX4XYNNJB4YGFIL5UNF4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZC6BMPI3V3MC2IGNLN377ETUWO7QBIH/
https://security.netapp.com/advisory/ntap-20221007-0003/ Third Party Advisory
https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28 Release Notes Vendor Advisory
https://www.debian.org/security/2022/dsa-5087 Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:cyrusimap:cyrus-sasl:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_console:22.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:*:*:*:*:*:*:*
History

07 Nov 2023, 03:44

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FIXU75Q6RBNK6UYM7MQ3TCFGXR7AX4U/', 'name': 'FEDORA-2022-e33e824d37', 'tags': ['Issue Tracking', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H26R4SMGM3WHXX4XYNNJB4YGFIL5UNF4/', 'name': 'FEDORA-2022-8cc64f73d0', 'tags': ['Issue Tracking', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZC6BMPI3V3MC2IGNLN377ETUWO7QBIH/', 'name': 'FEDORA-2022-f9642fab70', 'tags': ['Issue Tracking', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZC6BMPI3V3MC2IGNLN377ETUWO7QBIH/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H26R4SMGM3WHXX4XYNNJB4YGFIL5UNF4/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4FIXU75Q6RBNK6UYM7MQ3TCFGXR7AX4U/ -

07 Nov 2022, 17:28

Type Values Removed Values Added
CPE cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_console:22.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:*:*:*:*:*:*:*
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
References (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory
References (CONFIRM) https://security.netapp.com/advisory/ntap-20221007-0003/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20221007-0003/ - Third Party Advisory
First Time Oracle communications Cloud Native Core Security Edge Protection Proxy
Oracle communications Cloud Native Core Network Function Cloud Native Environment
Netapp active Iq Unified Manager
Oracle communications Cloud Native Core Console
Netapp
Oracle
Netapp ontap Select Deploy Administration Utility

07 Oct 2022, 14:16

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20221007-0003/ -

25 Jul 2022, 18:21

Type Values Removed Values Added
References
  • (N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

25 Apr 2022, 16:48

Type Values Removed Values Added
References (MLIST) https://lists.debian.org/debian-lts-announce/2022/03/msg00002.html - (MLIST) https://lists.debian.org/debian-lts-announce/2022/03/msg00002.html - Mailing List, Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H26R4SMGM3WHXX4XYNNJB4YGFIL5UNF4/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H26R4SMGM3WHXX4XYNNJB4YGFIL5UNF4/ - Issue Tracking, Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZC6BMPI3V3MC2IGNLN377ETUWO7QBIH/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZC6BMPI3V3MC2IGNLN377ETUWO7QBIH/ - Issue Tracking, Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FIXU75Q6RBNK6UYM7MQ3TCFGXR7AX4U/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FIXU75Q6RBNK6UYM7MQ3TCFGXR7AX4U/ - Issue Tracking, Third Party Advisory
CPE cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
First Time Fedoraproject fedora
Fedoraproject

26 Mar 2022, 17:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FIXU75Q6RBNK6UYM7MQ3TCFGXR7AX4U/ -

10 Mar 2022, 17:46

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H26R4SMGM3WHXX4XYNNJB4YGFIL5UNF4/ -
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZC6BMPI3V3MC2IGNLN377ETUWO7QBIH/ -

06 Mar 2022, 20:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2022/03/msg00002.html -

03 Mar 2022, 19:08

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : 6.5
v3 : 8.8
CWE CWE-89
CPE cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:a:cyrusimap:cyrus-sasl:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
References (MLIST) http://www.openwall.com/lists/oss-security/2022/02/23/4 - (MLIST) http://www.openwall.com/lists/oss-security/2022/02/23/4 - Mailing List, Patch, Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2022/dsa-5087 - (DEBIAN) https://www.debian.org/security/2022/dsa-5087 - Third Party Advisory
References (MISC) https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28 - (MISC) https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28 - Release Notes, Vendor Advisory
References (CONFIRM) https://github.com/cyrusimap/cyrus-sasl/blob/fdcd13ceaef8de684dc69008011fa865c5b4a3ac/docsrc/sasl/release-notes/2.1/index.rst - (CONFIRM) https://github.com/cyrusimap/cyrus-sasl/blob/fdcd13ceaef8de684dc69008011fa865c5b4a3ac/docsrc/sasl/release-notes/2.1/index.rst - Release Notes, Third Party Advisory
First Time Debian debian Linux
Debian
Cyrusimap cyrus-sasl
Cyrusimap

02 Mar 2022, 03:15

Type Values Removed Values Added
References
  • (DEBIAN) https://www.debian.org/security/2022/dsa-5087 -

24 Feb 2022, 16:02

Type Values Removed Values Added
New CVE
Information

Published : 2022-02-24 15:15

Updated : 2023-12-10 14:22

NVD link : CVE-2022-24407

Mitre link : CVE-2022-24407

CVE.ORG link : CVE-2022-24407

JSON object : View

Products Affected

debian

  • debian_linux

fedoraproject

  • fedora

netapp

  • active_iq_unified_manager
  • ontap_select_deploy_administration_utility

oracle

  • communications_cloud_native_core_security_edge_protection_proxy
  • communications_cloud_native_core_network_function_cloud_native_environment
  • communications_cloud_native_core_console

cyrusimap

  • cyrus-sasl
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')