CVE-2016-8640
Published: 1 August 2018
A SQL injection vulnerability in pycsw all versions before 2.0.2, 1.10.5 and 1.8.6 that leads to read and extract of any data from any table in the pycsw database that the database user has access to. Also on PostgreSQL (at least) it is possible to perform updates/inserts/deletes and database modifications to any table the database user has access to.
Priority
Status
Package | Release | Status |
---|---|---|
pycsw Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Not vulnerable
(2.0.2+dfsg-1)
|
|
cosmic |
Not vulnerable
(2.0.2+dfsg-1)
|
|
disco |
Not vulnerable
(2.0.2+dfsg-1)
|
|
eoan |
Not vulnerable
(2.0.2+dfsg-1)
|
|
focal |
Not vulnerable
(2.0.2+dfsg-1)
|
|
groovy |
Not vulnerable
(2.0.2+dfsg-1)
|
|
hirsute |
Not vulnerable
(2.0.2+dfsg-1)
|
|
impish |
Not vulnerable
(2.0.2+dfsg-1)
|
|
jammy |
Not vulnerable
(2.0.2+dfsg-1)
|
|
kinetic |
Not vulnerable
(2.0.2+dfsg-1)
|
|
lunar |
Not vulnerable
(2.0.2+dfsg-1)
|
|
mantic |
Not vulnerable
(2.0.2+dfsg-1)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(2.0.2+dfsg-1)
|
|
xenial |
Needed
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.1 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |