CVE-2024-6672 - Vulnerability Details - OpenCVE

In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Progress	Whatsup Gold Whatsupgold

Configuration 1 [-]

cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024
https://www.progress.com/network-monitoring

History

Wed, 04 Sep 2024 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Progress whatsup Gold
CPEs		cpe:2.3:a:progress:whatsup_gold::::::::
Vendors & Products		Progress whatsup Gold

Fri, 30 Aug 2024 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Progress Progress whatsupgold
CPEs		cpe:2.3:a:progress:whatsupgold::::::::
Vendors & Products		Progress Progress whatsupgold
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 29 Aug 2024 22:15:00 +0000

Type	Values Removed	Values Added
Description		In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password.
Title		WhatsUp Gold getMonitorJoin SQL Injection Privilege Escalation Vulnerability
Weaknesses		CWE-89
References		https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024 https://www.progress.com/network-monitoring
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published: 2024-08-29T22:07:13.727Z

Updated: 2024-08-30T13:45:45.129Z

Reserved: 2024-07-10T19:45:29.346Z

Link: CVE-2024-6672

Vulnrichment

Updated: 2024-08-30T13:45:29.131Z

NVD

Status : Analyzed

Published: 2024-08-29T22:15:05.953

Modified: 2024-09-04T14:23:58.403

Link: CVE-2024-6672

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6672", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2024-07-10T19:45:29.346Z", "datePublished": "2024-08-29T22:07:13.727Z", "dateUpdated": "2024-08-30T13:45:45.129Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["API Endpoint"], "platforms": ["Windows"], "product": "WhatsUp Gold", "vendor": "Progress Software Corporation", "versions": [{"lessThan": "2024.0.0", "status": "affected", "version": "2023.1.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password."}], "value": "In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-08-29T22:07:13.727Z"}, "references": [{"tags": ["product"], "url": "https://www.progress.com/network-monitoring"}, {"tags": ["vendor-advisory"], "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024"}], "source": {"discovery": "UNKNOWN"}, "title": "WhatsUp Gold getMonitorJoin SQL Injection Privilege Escalation Vulnerability", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "progress", "product": "whatsupgold", "cpes": ["cpe:2.3:a:progress:whatsupgold:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "2023.1.0", "status": "affected", "lessThan": "2024.0.0", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-30T13:44:33.392630Z", "id": "CVE-2024-6672", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-30T13:45:45.129Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6672", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-30T13:44:33.392630Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:progress:whatsupgold:*:*:*:*:*:*:*:*"], "vendor": "progress", "product": "whatsupgold", "versions": [{"status": "affected", "version": "2023.1.0", "lessThan": "2024.0.0", "versionType": "semver"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-30T13:45:29.131Z"}}], "cna": {"title": "WhatsUp Gold getMonitorJoin SQL Injection Privilege Escalation Vulnerability", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Progress Software Corporation", "modules": ["API Endpoint"], "product": "WhatsUp Gold", "versions": [{"status": "affected", "version": "2023.1.0", "lessThan": "2024.0.0", "versionType": "semver"}], "platforms": ["Windows"], "defaultStatus": "affected"}], "references": [{"url": "https://www.progress.com/network-monitoring", "tags": ["product"]}, {"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password.", "supportingMedia": [{"type": "text/html", "value": "In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-08-29T22:07:13.727Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6672", "state": "PUBLISHED", "dateUpdated": "2024-08-30T13:45:45.129Z", "dateReserved": "2024-07-10T19:45:29.346Z", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "datePublished": "2024-08-29T22:07:13.727Z", "assignerShortName": "ProgressSoftware"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*", "matchCriteriaId": "F88DF254-746E-41F3-A2CA-0DC0B5C49837", "versionEndExcluding": "24.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password."}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de 2024.0.0, una vulnerabilidad de inyecci\u00f3n SQL permite que un atacante autenticado con pocos privilegios logre una escalada de privilegios modificando la contrase\u00f1a de un usuario privilegiado."}], "id": "CVE-2024-6672", "lastModified": "2024-09-04T14:23:58.403", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@progress.com", "type": "Secondary"}]}, "published": "2024-08-29T22:15:05.953", "references": [{"source": "security@progress.com", "tags": ["Vendor Advisory"], "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024"}, {"source": "security@progress.com", "tags": ["Product"], "url": "https://www.progress.com/network-monitoring"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@progress.com", "type": "Secondary"}]}