NVD Vulnerability Detail

CVE-2011-2703

Summary	Multiple SQL injection vulnerabilities in MapServer before 4.10.7, 5.x before 5.6.7, and 6.x before 6.0.1 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) OGC filter encoding or (2) WMS time support.
Publication Date	Aug. 2, 2011, 4:55 a.m.
Registration Date	Jan. 28, 2021, 4:39 p.m.
Last Update	Nov. 21, 2024, 10:28 a.m.

CVSS2.0 : HIGH
Score	7.5
Vector	AV:N/AC:L/Au:N/C:P/I:P/A:P
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	低
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:osgeo:mapserver:4.2.0:beta1::::::
cpe:2.3:a:osgeo:mapserver:4.4.0:beta1::::::
cpe:2.3:a:osgeo:mapserver:4.4.0:beta2::::::
cpe:2.3:a:osgeo:mapserver:4.6.0:beta1::::::
cpe:2.3:a:osgeo:mapserver:4.6.0:beta2::::::
cpe:2.3:a:osgeo:mapserver:4.6.0:beta3::::::
cpe:2.3:a:osgeo:mapserver:4.8.0:beta2::::::
cpe:2.3:a:osgeo:mapserver:4.8.0:beta1::::::
cpe:2.3:a:osgeo:mapserver:4.8.0:beta3::::::
cpe:2.3:a:osgeo:mapserver:4.8.0:rc2::::::
cpe:2.3:a:osgeo:mapserver:4.8.0:rc1::::::
cpe:2.3:a:osgeo:mapserver:4.10.0:::::::*
cpe:2.3:a:osgeo:mapserver:4.10.0:beta1::::::
cpe:2.3:a:osgeo:mapserver:4.10.0:rc1::::::
cpe:2.3:a:osgeo:mapserver:4.10.0:beta3::::::
cpe:2.3:a:osgeo:mapserver:4.10.0:beta2::::::
cpe:2.3:a:osgeo:mapserver:4.10.4:::::::*
cpe:2.3:a:osgeo:mapserver:4.10.2:::::::*
cpe:2.3:a:osgeo:mapserver:4.10.1:::::::*
cpe:2.3:a:osgeo:mapserver:4.10.3:::::::*
cpe:2.3:a:osgeo:mapserver:4.10.5:::::::*
cpe:2.3:a:osgeo:mapserver:4.6.0:::::::*
cpe:2.3:a:osgeo:mapserver:4.6.0:rc1::::::
cpe:2.3:a:osgeo:mapserver::::::::		4.10.6
cpe:2.3:a:osgeo:mapserver:4.4.0:::::::*
cpe:2.3:a:osgeo:mapserver:4.4.0:beta3::::::

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:umn:mapserver:5.6.4:::::::*
cpe:2.3:a:umn:mapserver:5.2.2:::::::*
cpe:2.3:a:umn:mapserver:5.6.5:::::::*
cpe:2.3:a:umn:mapserver:5.6.6:::::::*
cpe:2.3:a:umn:mapserver:5.2.3:::::::*
cpe:2.3:a:osgeo:mapserver:5.0.0:beta5::::::
cpe:2.3:a:osgeo:mapserver:5.0.0:beta6::::::
cpe:2.3:a:osgeo:mapserver:5.0.0:beta3::::::
cpe:2.3:a:osgeo:mapserver:5.0.0:beta4::::::
cpe:2.3:a:osgeo:mapserver:5.0.0:beta1::::::
cpe:2.3:a:osgeo:mapserver:5.0.0:beta2::::::
cpe:2.3:a:osgeo:mapserver:5.0.0:rc1::::::
cpe:2.3:a:osgeo:mapserver:5.2.0:::::::*
cpe:2.3:a:osgeo:mapserver:5.2.0:beta2::::::
cpe:2.3:a:osgeo:mapserver:5.2.0:beta1::::::
cpe:2.3:a:osgeo:mapserver:5.2.0:beta3::::::
cpe:2.3:a:osgeo:mapserver:5.2.0:beta4::::::
cpe:2.3:a:osgeo:mapserver:5.2.0:rc1::::::
cpe:2.3:a:osgeo:mapserver:5.2.1:::::::*
cpe:2.3:a:osgeo:mapserver:5.4.0:::::::*
cpe:2.3:a:osgeo:mapserver:5.4.0:beta1::::::
cpe:2.3:a:osgeo:mapserver:5.4.0:beta2::::::
cpe:2.3:a:osgeo:mapserver:5.4.0:beta4::::::
cpe:2.3:a:osgeo:mapserver:5.4.0:beta3::::::
cpe:2.3:a:osgeo:mapserver:5.4.0:rc2::::::
cpe:2.3:a:osgeo:mapserver:5.4.0:rc1::::::
cpe:2.3:a:osgeo:mapserver:5.4.2:::::::*
cpe:2.3:a:osgeo:mapserver:5.4.1:::::::*
cpe:2.3:a:osgeo:mapserver:5.6.0:::::::*
cpe:2.3:a:osgeo:mapserver:5.6.1:::::::*
cpe:2.3:a:osgeo:mapserver:5.6.3:::::::*
cpe:2.3:a:osgeo:mapserver:5.0.0:rc2::::::
cpe:2.3:a:osgeo:mapserver:5.0.0:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:umn:mapserver:6.0.0:rc2::::::
cpe:2.3:a:umn:mapserver:6.0.0:beta3::::::
cpe:2.3:a:umn:mapserver:6.0.0:beta5::::::
cpe:2.3:a:umn:mapserver:6.0.0:rc1::::::
cpe:2.3:a:umn:mapserver:6.0.0:beta1::::::
cpe:2.3:a:umn:mapserver:6.0.0:::::::*
cpe:2.3:a:umn:mapserver:6.0.0:beta7::::::
cpe:2.3:a:umn:mapserver:6.0.0:beta6::::::
cpe:2.3:a:umn:mapserver:6.0.0:beta4::::::
cpe:2.3:a:umn:mapserver:6.0.0:beta2::::::

Related information, measures and tools

No	URL	タグ
1	http://lists.osgeo.org/pipermail/mapserver-users/2011-July/069430.html	Patch
2	http://secunia.com/advisories/45257	Vendor Advisory
3	http://secunia.com/advisories/45318	Vendor Advisory
4	http://secunia.com/advisories/45368	Vendor Advisory
5	http://trac.osgeo.org/mapserver/ticket/3903	Patch
6	http://www.debian.org/security/2011/dsa-2285
7	http://www.openwall.com/lists/oss-security/2011/07/19/11	Patch
8	http://www.openwall.com/lists/oss-security/2011/07/19/14	Patch
9	http://www.openwall.com/lists/oss-security/2011/07/20/15	Patch
10	http://www.securityfocus.com/bid/48720
11	https://bugzilla.redhat.com/show_bug.cgi?id=722545	Patch
12	https://bugzilla.redhat.com/show_bug.cgi?id=723293	Patch
13	https://exchange.xforce.ibmcloud.com/vulnerabilities/68682
14	http://lists.osgeo.org/pipermail/mapserver-users/2011-July/069430.html	Patch
15	https://exchange.xforce.ibmcloud.com/vulnerabilities/68682
16	https://bugzilla.redhat.com/show_bug.cgi?id=723293	Patch
17	https://bugzilla.redhat.com/show_bug.cgi?id=722545	Patch
18	http://www.securityfocus.com/bid/48720
19	http://www.openwall.com/lists/oss-security/2011/07/20/15	Patch
20	http://www.openwall.com/lists/oss-security/2011/07/19/14	Patch
21	http://www.openwall.com/lists/oss-security/2011/07/19/11	Patch
22	http://www.debian.org/security/2011/dsa-2285
23	http://trac.osgeo.org/mapserver/ticket/3903	Patch
24	http://secunia.com/advisories/45368	Vendor Advisory
25	http://secunia.com/advisories/45318	Vendor Advisory
26	http://secunia.com/advisories/45257	Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-89	SQLインジェクション	https://cwe.mitre.org/data/definitions/89.html

JVN Vulnerability Information

MapServer における SQL インジェクションの脆弱性

Title	MapServer における SQL インジェクションの脆弱性
Summary	MapServer には、(1) OGC フィルタエンコーディングまたは (2) WMS 時間サポートに関する処理に不備があるため、SQL インジェクションの脆弱性が存在します。
Possible impacts	第三者により、任意の Web スクリプトまたは HTML を挿入される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Aug. 1, 2011, midnight
Registration Date	March 27, 2012, 6:43 p.m.
Last Update	March 27, 2012, 6:43 p.m.

Affected System

UMN

MapServer 4.10.7, 5.x 未満、5.6.7 未満の 5.x、6.0.1 未満の 6.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2011-2703	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2703
National Vulnerability Database (NVD)
2	CVE-2011-2703	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2703

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-89	https://jvndb.jvn.jp/ja/cwe/CWE-89.html

ベンダー情報

No	Name	URL
MapServer
1	Top Page	http://mapserver.org/

Change Log

No	Changed Details	Date of change
0	[2012年03月27日] 掲載	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:osgeo:mapserver:4.2.0:beta1::::::
cpe:2.3:a:osgeo:mapserver:4.4.0:beta1::::::
cpe:2.3:a:osgeo:mapserver:4.4.0:beta2::::::
cpe:2.3:a:osgeo:mapserver:4.6.0:beta1::::::
cpe:2.3:a:osgeo:mapserver:4.6.0:beta2::::::
cpe:2.3:a:osgeo:mapserver:4.6.0:beta3::::::
cpe:2.3:a:osgeo:mapserver:4.8.0:beta2::::::
cpe:2.3:a:osgeo:mapserver:4.8.0:beta1::::::
cpe:2.3:a:osgeo:mapserver:4.8.0:beta3::::::
cpe:2.3:a:osgeo:mapserver:4.8.0:rc2::::::
cpe:2.3:a:osgeo:mapserver:4.8.0:rc1::::::
cpe:2.3:a:osgeo:mapserver:4.10.0:::::::*
cpe:2.3:a:osgeo:mapserver:4.10.0:beta1::::::
cpe:2.3:a:osgeo:mapserver:4.10.0:rc1::::::
cpe:2.3:a:osgeo:mapserver:4.10.0:beta3::::::
cpe:2.3:a:osgeo:mapserver:4.10.0:beta2::::::
cpe:2.3:a:osgeo:mapserver:4.10.4:::::::*
cpe:2.3:a:osgeo:mapserver:4.10.2:::::::*
cpe:2.3:a:osgeo:mapserver:4.10.1:::::::*
cpe:2.3:a:osgeo:mapserver:4.10.3:::::::*
cpe:2.3:a:osgeo:mapserver:4.10.5:::::::*
cpe:2.3:a:osgeo:mapserver:4.6.0:::::::*
cpe:2.3:a:osgeo:mapserver:4.6.0:rc1::::::
cpe:2.3:a:osgeo:mapserver::::::::		4.10.6
cpe:2.3:a:osgeo:mapserver:4.4.0:::::::*
cpe:2.3:a:osgeo:mapserver:4.4.0:beta3::::::

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:umn:mapserver:5.6.4:::::::*
cpe:2.3:a:umn:mapserver:5.2.2:::::::*
cpe:2.3:a:umn:mapserver:5.6.5:::::::*
cpe:2.3:a:umn:mapserver:5.6.6:::::::*
cpe:2.3:a:umn:mapserver:5.2.3:::::::*
cpe:2.3:a:osgeo:mapserver:5.0.0:beta5::::::
cpe:2.3:a:osgeo:mapserver:5.0.0:beta6::::::
cpe:2.3:a:osgeo:mapserver:5.0.0:beta3::::::
cpe:2.3:a:osgeo:mapserver:5.0.0:beta4::::::
cpe:2.3:a:osgeo:mapserver:5.0.0:beta1::::::
cpe:2.3:a:osgeo:mapserver:5.0.0:beta2::::::
cpe:2.3:a:osgeo:mapserver:5.0.0:rc1::::::
cpe:2.3:a:osgeo:mapserver:5.2.0:::::::*
cpe:2.3:a:osgeo:mapserver:5.2.0:beta2::::::
cpe:2.3:a:osgeo:mapserver:5.2.0:beta1::::::
cpe:2.3:a:osgeo:mapserver:5.2.0:beta3::::::
cpe:2.3:a:osgeo:mapserver:5.2.0:beta4::::::
cpe:2.3:a:osgeo:mapserver:5.2.0:rc1::::::
cpe:2.3:a:osgeo:mapserver:5.2.1:::::::*
cpe:2.3:a:osgeo:mapserver:5.4.0:::::::*
cpe:2.3:a:osgeo:mapserver:5.4.0:beta1::::::
cpe:2.3:a:osgeo:mapserver:5.4.0:beta2::::::
cpe:2.3:a:osgeo:mapserver:5.4.0:beta4::::::
cpe:2.3:a:osgeo:mapserver:5.4.0:beta3::::::
cpe:2.3:a:osgeo:mapserver:5.4.0:rc2::::::
cpe:2.3:a:osgeo:mapserver:5.4.0:rc1::::::
cpe:2.3:a:osgeo:mapserver:5.4.2:::::::*
cpe:2.3:a:osgeo:mapserver:5.4.1:::::::*
cpe:2.3:a:osgeo:mapserver:5.6.0:::::::*
cpe:2.3:a:osgeo:mapserver:5.6.1:::::::*
cpe:2.3:a:osgeo:mapserver:5.6.3:::::::*
cpe:2.3:a:osgeo:mapserver:5.0.0:rc2::::::
cpe:2.3:a:osgeo:mapserver:5.0.0:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:umn:mapserver:6.0.0:rc2::::::
cpe:2.3:a:umn:mapserver:6.0.0:beta3::::::
cpe:2.3:a:umn:mapserver:6.0.0:beta5::::::
cpe:2.3:a:umn:mapserver:6.0.0:rc1::::::
cpe:2.3:a:umn:mapserver:6.0.0:beta1::::::
cpe:2.3:a:umn:mapserver:6.0.0:::::::*
cpe:2.3:a:umn:mapserver:6.0.0:beta7::::::
cpe:2.3:a:umn:mapserver:6.0.0:beta6::::::
cpe:2.3:a:umn:mapserver:6.0.0:beta4::::::
cpe:2.3:a:umn:mapserver:6.0.0:beta2::::::