CVE-2012-0199

{"id": "CVE-2012-0199", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2012-03-06T04:18:03.110", "references": [{"url": "http://www.zerodayinitiative.com/advisories/ZDI-12-040/", "source": "psirt@us.ibm.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/73034", "source": "psirt@us.ibm.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Multiple SQL injection vulnerabilities in IBM Tivoli Provisioning Manager Express for Software Distribution 4.1.1 allow remote attackers to execute arbitrary SQL commands via (1) a SOAP message to the Printer.getPrinterAgentKey function in the SoapServlet servlet, (2) the User.updateUserValue function in the register.do servlet, (3) the User.isExistingUser function in the logon.do servlet, (4) the Asset.getHWKey function in the CallHomeExec servlet, (5) the Asset.getMimeType function in the getAttachment (aka GetAttachmentServlet) servlet, (6) the addAsset.do servlet, or (7) a crafted EG2 file."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en la distribuci\u00f3n de software IBM Tivoli Provisioning Manager Express v4.1.1, permite a atacantes remotos ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s de (1) mesnaje SOAP sobre la funci\u00f3n Printer.getPrinterAgentKey en el servlet SoapServlet, (2) la funci\u00f3n User.updateUserValue en el servlet register.do, (3) la funci\u00f3n User.isExistingUser en el servlet logon.do, (4) la funci\u00f3n Asset.getHWKey en el servlet CallHomeExec, (5) la funci\u00f3n Asset.getMimeType en el servlet getAttachment (tambi\u00e9n conocido como GetAttachmentServlet), (6) el servlet addAsset.do, o (7) un fichero EG2 manipulado."}], "lastModified": "2017-08-29T01:30:51.960", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:tivoli_provisioning_manager_express_for_software_distribution:4.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3A039B9D-4EFA-44FD-8986-2BE0FFB0C5E0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}