製品・ソフトウェアに関する情報

JVN脆弱性詳細

SilverStripe の core/model/Translatable.php における SQL インジェクションの脆弱性

Title	SilverStripe の core/model/Translatable.php における SQL インジェクションの脆弱性
Summary	SilverStripe の core/model/Translatable.php の augmentSQL メソッドには、Translatable エクステンションが有効な場合、SQL インジェクションの脆弱性が存在します。
Possible impacts	第三者により、locale パラメータを介して、任意の SQL コマンドを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 21, 2010, midnight
Registration Date	Sept. 20, 2012, 10:38 a.m.
Last Update	Sept. 20, 2012, 10:38 a.m.

Affected System

SilverStripe

SilverStripe 2.3.10 未満の 2.3.x

SilverStripe 2.4.4 未満の 2.4.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2010-4824	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4824
National Vulnerability Database (NVD)
2	CVE-2010-4824	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4824

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-89	https://jvndb.jvn.jp/ja/cwe/CWE-89.html

ベンダー情報

No	Name	URL
SilverStripe
1	2.3.10 (2010-12-21)	http://doc.silverstripe.org/framework/en/trunk/changelogs//2.3.10
2	2.4.4 (2010-12-21)	http://doc.silverstripe.org/framework/en/trunk/changelogs//2.4.4
3	Changeset 114515	http://open.silverstripe.org/changeset/114515
4	Changeset 114517	http://open.silverstripe.org/changeset/114517

Change Log

No	Changed Details	Date of change
0	[2012年09月20日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2010-4824

Summary	SQL injection vulnerability in the augmentSQL method in core/model/Translatable.php in SilverStripe 2.3.x before 2.3.10 and 2.4.x before 2.4.4, when the Translatable extension is enabled, allows remote attackers to execute arbitrary SQL commands via the locale parameter.
Publication Date	Sept. 18, 2012, 2:55 a.m.
Registration Date	Jan. 29, 2021, 11:10 a.m.
Last Update	Nov. 21, 2024, 10:21 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:silverstripe:silverstripe:2.3.4:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.3.7:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.3.3:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.3.8:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.3.1:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.3.5:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.3.9:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.3.6:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.3.0:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.3.2:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:silverstripe:silverstripe:2.4.1:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.4.0:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.4.2:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.4.3:::::::*

Related information, measures and tools

No	URL	タグ
1	http://doc.silverstripe.org/framework/en/trunk/changelogs//2.3.10	Vendor Advisory
2	http://doc.silverstripe.org/framework/en/trunk/changelogs//2.4.4	Vendor Advisory
3	http://open.silverstripe.org/changeset/114515	Exploit Patch
4	http://open.silverstripe.org/changeset/114517	Exploit Patch
5	http://secunia.com/advisories/42346	Vendor Advisory
6	http://www.openwall.com/lists/oss-security/2011/01/03/12
7	http://www.openwall.com/lists/oss-security/2012/04/30/1
8	http://www.openwall.com/lists/oss-security/2012/04/30/3	Patch
9	http://www.openwall.com/lists/oss-security/2012/05/01/3
10	http://www.osvdb.org/69884
11	http://www.securityfocus.com/bid/45367
12	https://exchange.xforce.ibmcloud.com/vulnerabilities/63989
13	http://doc.silverstripe.org/framework/en/trunk/changelogs//2.3.10	Vendor Advisory
14	https://exchange.xforce.ibmcloud.com/vulnerabilities/63989
15	http://www.securityfocus.com/bid/45367
16	http://www.osvdb.org/69884
17	http://www.openwall.com/lists/oss-security/2012/05/01/3
18	http://www.openwall.com/lists/oss-security/2012/04/30/3	Patch
19	http://www.openwall.com/lists/oss-security/2012/04/30/1
20	http://www.openwall.com/lists/oss-security/2011/01/03/12
21	http://secunia.com/advisories/42346	Vendor Advisory
22	http://open.silverstripe.org/changeset/114517	Exploit Patch
23	http://open.silverstripe.org/changeset/114515	Exploit Patch
24	http://doc.silverstripe.org/framework/en/trunk/changelogs//2.4.4	Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-89	SQLインジェクション	https://cwe.mitre.org/data/definitions/89.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:silverstripe:silverstripe:2.3.4:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.3.7:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.3.3:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.3.8:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.3.1:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.3.5:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.3.9:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.3.6:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.3.0:::::::*
cpe:2.3:a:silverstripe:silverstripe:2.3.2:::::::*