CVE-2008-2667

Current Description

SQL injection vulnerability in the Courier Authentication Library (aka courier-authlib) before 0.60.6 on SUSE openSUSE 10.3 and 11.0, and other platforms, when MySQL and a non-Latin character set are used, allows remote attackers to execute arbitrary SQL commands via the username and unspecified other vectors.

Basic Data

PublishedJuly 07, 2008
Last ModifiedAugust 08, 2017
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-89
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:H/Au:N/C:P/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityHIGH
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score5.1
SeverityMEDIUM
Exploitability Score4.9
Impact Score6.4
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • AND
    • OR - Configuration 1
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3ApplicationCourier-mtaCourtier-authlib0.52*******
      2.3ApplicationCourier-mtaCourtier-authlib0.53*******
      2.3ApplicationCourier-mtaCourtier-authlib0.54*******
      2.3ApplicationCourier-mtaCourtier-authlib0.55*******
      2.3ApplicationCourier-mtaCourtier-authlib0.56*******
      2.3ApplicationCourier-mtaCourtier-authlib0.57*******
      2.3ApplicationCourier-mtaCourtier-authlib0.58*******
      2.3ApplicationCourier-mtaCourtier-authlib0.59*******
      2.3ApplicationCourier-mtaCourtier-authlib0.59.1*******
      2.3ApplicationCourier-mtaCourtier-authlib0.59.2*******
      2.3ApplicationCourier-mtaCourtier-authlib0.59.3*******
      2.3ApplicationCourier-mtaCourtier-authlib0.60*******
      2.3ApplicationCourier-mtaCourtier-authlib0.60.1*******
      2.3ApplicationCourier-mtaCourtier-authlib0.60.2*******
      2.3ApplicationCourier-mtaCourtier-authlib0.60.3*******
      2.3ApplicationCourier-mtaCourtier-authlib0.60.4*******
      2.3ApplicationCourier-mtaCourtier-authlib0.60.5*******
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSSuseOpen Suse10.3*******
      2.3OSSuseOpen Suse11.0*******

Vulnerable Software List

VendorProductVersions
Courier-mta Courtier-authlib 0.52, 0.53, 0.54, 0.55, 0.56, 0.57, 0.58, 0.59, 0.59.1, 0.59.2, 0.59.3, 0.60, 0.60.1, 0.60.2, 0.60.3, 0.60.4, 0.60.5

References

NameSourceURLTags
http://bugs.gentoo.org/show_bug.cgi?id=225407http://bugs.gentoo.org/show_bug.cgi?id=225407CONFIRM
SUSE-SR:2008:014http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.htmlSUSEVendor Advisory
30591http://secunia.com/advisories/30591SECUNIAVendor Advisory
30967http://secunia.com/advisories/30967SECUNIAVendor Advisory
GLSA-200809-05http://security.gentoo.org/glsa/glsa-200809-05.xmlGENTOO
http://www.courier-mta.org/authlib/changelog.htmlhttp://www.courier-mta.org/authlib/changelog.htmlCONFIRM
[courier-users] 20080314 Re: [courier-users] [Fwd: Re: authmysql vs apostrophe]http://www.mail-archive.com/courier-users@lists.sourceforge.net/msg31362.htmlMLIST
[courier-announce] 20080608 courier-authlib 0.60.6 releasedhttp://www.nabble.com/courier-authlib-0.60.6-released-td17720739.htmlMLIST
opensuse-unspecified-sql-injection(43628)https://exchange.xforce.ibmcloud.com/vulnerabilities/43628XF