CVE-2008-2380 — SQL Injection in Courier-authlib

CWE-89 — SQL Injection5 documents5 sources

Severity

5.1MEDIUMNVD

EPSS

0.6%

top 30.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Courier-authlib Courier-mta Courtier-authlib

Timeline

PublishedDec 22

Latest updateMay 1

Description

SQL injection vulnerability in authpgsqllib.c in Courier-Authlib before 0.62.0, when a non-Latin locale Postgres database is used, allows remote attackers to execute arbitrary SQL commands via query parameters containing apostrophes.

CVSS vector

AV:N/AC:H/C:P/I:P/A:PExploitability: 4.9 | Impact: 6.4

Affected Packages2 packages

▶debiandebian/courier-authlib< courier-authlib 0.61.0-1+lenny1 (bookworm)

▶NVDcourier-mta/courtier-authlib20 versions+19

Patches

Patch: www.securityfocus.com ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

GHSA-p4v2-gpr7-p49q: SQL injection vulnerability in authpgsqllib↗2022-05-01

▶

OSV

CVE-2008-2380: SQL injection vulnerability in authpgsqllib↗2008-12-22

▶

📋Vendor Advisories

Debian

CVE-2008-2380: courier-authlib - SQL injection vulnerability in authpgsqllib.c in Courier-Authlib before 0.62.0, ...↗2008

▶

📐Framework References

CWE

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')↗

▶