CVE-2020-3984 — SQL Injection in Vmware Sd-wan Orchestrator

CWE-89 — SQL Injection5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

16.6%

top 5.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Sd-wan Orchestrator

Timeline

PublishedNov 24

Latest updateMay 24

Description

The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3 and 3.4.x prior to 3.4.4 does not apply correct input validation which allows for SQL-injection. An authenticated SD-WAN Orchestrator user may exploit a vulnerable API call using specially crafted SQL queries which may lead to unauthorized data access.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

▶NVDvmware/sd-wan_orchestrator3.4.0 — 3.4.4+1

🔴Vulnerability Details

GHSA

GHSA-vf79-fxj5-j7c4: The SD-WAN Orchestrator 3↗2022-05-24

▶

CVEList

CVE-2020-3984: The SD-WAN Orchestrator 3↗2020-11-24

▶

🔍Detection Rules

Suricata

ET EXPLOIT VMware SD-WAN Orchestrator SQL Injection (CVE-2020-3984)↗2022-02-04

▶

📋Vendor Advisories

VMware

VMware SD-WAN Orchestrator updates address multiple security vulnerabilities (CVE-2020-3984, CVE-2020-3985, CVE-2020-4000, CVE-2020-4001, CVE-2020-4002 ,CVE-2020-4003)↗2020-11-18

▶