CVE-2018-3885
published 2018-09-12CVE-2018-3885: An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections…
PriorityP349high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.91%
55.5th percentile
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The order_by parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| clusterlabs | pacemaker | >= 0 < 1.1.14-2ubuntu1.6 | 1.1.14-2ubuntu1.6 |
| clusterlabs | pacemaker | >= 0 < 1.1.18-0ubuntu1.1 | 1.1.18-0ubuntu1.1 |
| frappe | erpnext | — | — |
| talos | erpnext | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5x9m-2fcv-3q75: An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10
ghsa_unreviewed·2022-05-13
CVE-2018-3885 [HIGH] CWE-89 GHSA-5x9m-2fcv-3q75: An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The order_by parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.
OSV
pacemaker vulnerabilities
osv·2019-04-23·CVSS 7.8
CVE-2018-16877 pacemaker vulnerabilities
pacemaker vulnerabilities
Jan Pokorný discovered that Pacemaker incorrectly handled client-server
authentication. A local attacker could possibly use this issue to escalate
privileges. (CVE-2018-16877)
Jan Pokorný discovered that Pacemaker incorrectly handled certain
verifications. A local attacker could possibly use this issue to cause a
denial of service. (CVE-2018-16878)
Jan Pokorný discovered that Pacemaker incorrectly handled certain memory
operations. A local attacker could possibly use this issue to obtain
sensitive information in log outputs. This issue only applied to Ubuntu
18.04 LTS, Ubuntu 18.10, and Ubuntu 19.04. (CVE-2019-3885)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-3885 pacemaker: Information disclosure through use-after-free
bugzilla·2019-04-01·CVSS 7.8
CVE-2019-3885 [HIGH] CVE-2019-3885 pacemaker: Information disclosure through use-after-free
CVE-2019-3885 pacemaker: Information disclosure through use-after-free
A use-after-free defect was discovered in pacemaker that can possibly lead to unsolicited information disclosure in the log outputs.
Discussion:
Acknowledgments:
Name: Jan Pokorný (Red Hat)
---
Created attachment 1555736
Cumulative patches to address CVE-2018-16877, CVE-2018-16878 and CVE-2019-3885
---
Public via:
https://www.openwall.com/lists/oss-security/2019/04/17/1
---
Created pacemaker tracking bugs for this issue:
Affects: fedora-all [bug 1700737]
---
Upstream patch: https://github.com/ClusterLabs/pacemaker/pull/1749/commits/970736b1c7ad5c78cc5295a4231e546104d55893
---
Created pacemaker tracking bugs for this issue:
Affects: openstack-rdo [bug 1706307]
---
This issue has been addressed in the fo
Bugzilla
CVE-2018-16878 pacemaker: Insufficient verification inflicted preference of uncontrolled processes can lead to DoS
bugzilla·2018-12-10·CVSS 7.8
CVE-2018-16878 [HIGH] CVE-2018-16878 pacemaker: Insufficient verification inflicted preference of uncontrolled processes can lead to DoS
CVE-2018-16878 pacemaker: Insufficient verification inflicted preference of uncontrolled processes can lead to DoS
A flaw was found in pacemaker. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1649942
Discussion:
Acknowledgments:
Name: Jan Pokorný (Red Hat)
---
Created attachment 1555735
Cumulative patches to address CVE-2018-16877, CVE-2018-16878 and CVE-2019-3885
---
Public via:
https://www.openwall.com/lists/oss-security/2019/04/17/1
---
Created pacemaker tracking bugs for this issue:
Affects: fedora-all [bug 1700737]
---
Upstream patch: https://github.com/ClusterLabs/pacemaker/pull/1749/commits/970736b1c7ad5c78cc5295a4231e546104d55893
---
Created pacemaker tracking bugs
2018-09-12
Published