CVE-2021-43609

An issue was discovered in Spiceworks Help Desk Server before 1.3.3. A Blind Boolean SQL injection vulnerability within the order_by_for_ticket function in app/models/reporting/database_query.rb allows an authenticated attacker to execute arbitrary SQL commands via the sort parameter. This can be leveraged to leak local files from the host system, leading to remote code execution (RCE) through deserialization of malicious data.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://community.spiceworks.com/blogs/help-desk-server-release-notes/3610-1-3-2-1-3-3	Release Notes
https://github.com/d5sec/CVE-2021-43609-POC	Third Party Advisory
https://www.linkedin.com/pulse/cve-2021-43609-write-up-division5-security-4lgwe	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:spiceworks:help_desk_server:*:*:*:*:*:*:*:*

History

16 Nov 2023, 14:09

Type	Values Removed	Values Added
CWE		CWE-89
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
CPE		cpe:2.3:a:spiceworks:help_desk_server::::::::
First Time		Spiceworks help Desk Server Spiceworks
References	~~() https://www.linkedin.com/pulse/cve-2021-43609-write-up-division5-security-4lgwe -~~	() https://www.linkedin.com/pulse/cve-2021-43609-write-up-division5-security-4lgwe - Exploit, Third Party Advisory
References	~~() https://github.com/d5sec/CVE-2021-43609-POC -~~	() https://github.com/d5sec/CVE-2021-43609-POC - Third Party Advisory
References	~~() https://community.spiceworks.com/blogs/help-desk-server-release-notes/3610-1-3-2-1-3-3 -~~	() https://community.spiceworks.com/blogs/help-desk-server-release-notes/3610-1-3-2-1-3-3 - Release Notes

09 Nov 2023, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-09 00:15

Updated : 2024-02-28 20:54

NVD link : CVE-2021-43609

Mitre link : CVE-2021-43609

CVE.ORG link : CVE-2021-43609

JSON object : View

Products Affected

spiceworks

help_desk_server

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2021-43609", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2023-11-09T00:15:07.663", "references": [{"url": "https://community.spiceworks.com/blogs/help-desk-server-release-notes/3610-1-3-2-1-3-3", "tags": ["Release Notes"], "source": "cve@mitre.org"}, {"url": "https://github.com/d5sec/CVE-2021-43609-POC", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.linkedin.com/pulse/cve-2021-43609-write-up-division5-security-4lgwe", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Spiceworks Help Desk Server before 1.3.3. A Blind Boolean SQL injection vulnerability within the order_by_for_ticket function in app/models/reporting/database_query.rb allows an authenticated attacker to execute arbitrary SQL commands via the sort parameter. This can be leveraged to leak local files from the host system, leading to remote code execution (RCE) through deserialization of malicious data."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Spiceworks Help Desk Server antes de la versi\u00f3n 1.3.3. Una vulnerabilidad de inyecci\u00f3n Blind Boolean SQL dentro de la funci\u00f3n order_by_for_ticket en app/models/reporting/database_query.rb permite a un atacante autenticado ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro sort. Esto se puede aprovechar para filtrar archivos locales del sistema host, lo que lleva a la ejecuci\u00f3n remota de c\u00f3digo (RCE) mediante la deserializaci\u00f3n de datos maliciosos."}], "lastModified": "2023-11-16T14:09:21.980", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:spiceworks:help_desk_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B6C802AC-451D-4258-9462-4A30954FA3C8", "versionEndExcluding": "1.3.3"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}