Plattform
other
Komponente
avaya-control-manager
Behoben in
8.0.1
7.0.1
CVE-2019-7003 describes a critical SQL injection vulnerability discovered in the reporting component of Avaya Control Manager. This flaw allows an unauthenticated attacker to execute arbitrary SQL commands, potentially leading to the exposure of sensitive user data. The vulnerability impacts versions 7.0 through 8.0.x prior to 8.0.4.0. A fix is available in version 8.0.4.0.
Successful exploitation of CVE-2019-7003 could grant an attacker complete control over the Avaya Control Manager database. This includes the ability to read, modify, or delete sensitive user data, configuration settings, and potentially even system credentials. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors. An attacker could leverage this access to perform reconnaissance, escalate privileges, and potentially pivot to other systems within the network. The blast radius extends to any data stored within the Avaya Control Manager database, which could include personally identifiable information (PII) and confidential business data.
CVE-2019-7003 was publicly disclosed on July 11, 2019. While no active exploitation campaigns have been definitively linked to this vulnerability, its critical severity and ease of exploitation make it a high-priority target for attackers. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the vulnerability's exploitability.
Organizations utilizing Avaya Control Manager in environments with direct external access to the reporting component are at significant risk. Specifically, deployments with weak network segmentation or inadequate input validation are particularly vulnerable. Shared hosting environments where multiple customers share the same Avaya Control Manager instance also face increased exposure.
• linux / server:
journalctl -u avaya-control-manager -g 'SQL injection' | grep -i error• generic web:
curl -I <avaya_control_manager_reporting_endpoint> | grep SQL• database (mysql):
SELECT user, password FROM mysql.user WHERE user LIKE '%admin%';disclosure
Exploit-Status
EPSS
0.63% (70% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2019-7003 is to immediately upgrade Avaya Control Manager to version 8.0.4.0 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting network access to the reporting component and implementing strict input validation on all user-supplied data. While not a complete solution, a Web Application Firewall (WAF) configured to detect and block SQL injection attempts can provide an additional layer of defense. Monitor Avaya Control Manager logs for suspicious SQL queries or unusual database activity. After upgrading, verify the fix by attempting a SQL injection attack on the reporting component; it should be blocked.
Avaya Control Manager auf Version 8.0.4.0 oder höher aktualisieren. Dies behebt die (SQL Injection) Schwachstelle in der Berichtskomponente.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2019-7003 is a critical SQL injection vulnerability affecting Avaya Control Manager versions 7.0–8.0.x prior to 8.0.4.0, allowing attackers to execute SQL commands.
If you are running Avaya Control Manager versions 7.0 through 8.0.x before 8.0.4.0, you are potentially affected by this vulnerability.
Upgrade Avaya Control Manager to version 8.0.4.0 or later to remediate the vulnerability. Implement temporary workarounds if immediate upgrading is not possible.
Public proof-of-concept exploits are available, indicating a moderate risk of exploitation.
Refer to the Avaya Security Advisory for details: [https://www.avaya.com/support/knowledge-base/article/CVE-2019-7003](https://www.avaya.com/support/knowledge-base/article/CVE-2019-7003)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.