Platform
other
Component
avaya-control-manager
Fixed in
8.0.1
7.0.1
CVE-2019-7003 describes a critical SQL injection vulnerability discovered in the reporting component of Avaya Control Manager. This flaw allows an unauthenticated attacker to execute arbitrary SQL commands, potentially leading to the exposure of sensitive user data. The vulnerability impacts versions 7.0 through 8.0.x prior to 8.0.4.0. A fix is available in version 8.0.4.0.
The impact of CVE-2019-7003 is severe. Successful exploitation allows an attacker to bypass authentication and directly interact with the underlying database. This could result in the unauthorized retrieval of usernames, passwords, configuration details, and other sensitive information stored within the Avaya Control Manager database. Depending on the database schema, an attacker might even be able to modify data or execute commands on the system. The lack of authentication requirements significantly broadens the attack surface, making this vulnerability particularly concerning. While no direct precedent is cited, the potential for data exfiltration and system compromise aligns with the impact of other high-severity SQL injection vulnerabilities.
CVE-2019-7003 was publicly disclosed on July 11, 2019. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, indicating a moderate risk of exploitation. The vulnerability's ease of exploitation and potential impact warrant immediate attention and remediation.
Exploit Status
EPSS
0.63% (70% percentile)
CVSS Vector
The primary mitigation for CVE-2019-7003 is to upgrade Avaya Control Manager to version 8.0.4.0 or later. If immediate upgrading is not feasible, consider implementing temporary workarounds such as restricting network access to the reporting component and implementing strict input validation on all user-supplied data. Web Application Firewalls (WAFs) configured with rules to detect and block SQL injection attempts can provide an additional layer of defense. Monitor Avaya Control Manager logs for suspicious SQL queries or database activity. After upgrading, confirm the fix by attempting a SQL injection attack on the reporting component and verifying that it is blocked.
Update Avaya Control Manager to version 8.0.4.0 or later. This corrects the SQL injection (SQL Injection) vulnerability in the reporting component.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-7003 is a critical SQL injection vulnerability affecting Avaya Control Manager versions 7.0–8.0.x prior to 8.0.4.0, allowing attackers to execute SQL commands.
If you are running Avaya Control Manager versions 7.0 through 8.0.x before 8.0.4.0, you are potentially affected by this vulnerability.
Upgrade Avaya Control Manager to version 8.0.4.0 or later to remediate the vulnerability. Implement temporary workarounds if immediate upgrading is not possible.
Public proof-of-concept exploits are available, indicating a moderate risk of exploitation.
Refer to the Avaya Security Advisory for details: [https://www.avaya.com/support/knowledge-base/article/CVE-2019-7003](https://www.avaya.com/support/knowledge-base/article/CVE-2019-7003)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.