CVE-2022-1258
published 2022-04-14CVE-2022-1258: A blind SQL injection vulnerability in the ePolicy Orchestrator (ePO) extension of MA prior to 5.7.6 can be exploited by an authenticated administrator on ePO…
PriorityP346high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.91%
55.5th percentile
A blind SQL injection vulnerability in the ePolicy Orchestrator (ePO) extension of MA prior to 5.7.6 can be exploited by an authenticated administrator on ePO to perform arbitrary SQL queries in the back-end database, potentially leading to command execution on the server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mcafee | agent | < 5.7.6 | 5.7.6 |
| mcafee_llc | mcafee_agent_epo_extension | >= unspecified < 5.7.6 | 5.7.6 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Exposure of sensitive Slack webhook URLs in debug logs and traces
ghsa·2022-10-10
CVE-2022-39292 [HIGH] CWE-1258 Exposure of sensitive Slack webhook URLs in debug logs and traces
Exposure of sensitive Slack webhook URLs in debug logs and traces
### Impact
Debug logs expose sensitive URLs for Slack webhooks that contain private information.
### Patches
The problem is fixed in v1.3.2 which redacts sensitive URLs for webhooks.
### Workarounds
Disabling/filtering debug logs in case you use Slack webhooks using tracing log level and filters.
### References
https://github.com/abdolence/slack-morphism-rust/releases/tag/v1.3.2
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [repo](https://github.com/abdolence/slack-morphism-rust)
* Read our [security policy](https://github.com/abdolence/slack-morphism-rust/blob/master/SECURITY.md)
GHSA
Slack Morphism for Rust before 0.41.0 can leak Slack OAuth client information in application debug logs
ghsa·2022-07-20
CVE-2022-31162 [HIGH] CWE-1258 Slack Morphism for Rust before 0.41.0 can leak Slack OAuth client information in application debug logs
Slack Morphism for Rust before 0.41.0 can leak Slack OAuth client information in application debug logs
### Impact
Potential/accidental leaking of Slack OAuth client information in application debug logs.
### Patches
More strict and secure debug formatting was introduced in v0.41 for OAuth secret types to avoid the possibility of printing sensitive information in application logs.
### Workarounds
Don't print/output in logs request and responses for OAuth and client configurations.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in the [repo](https://github.com/abdolence/slack-morphism-rust)
* Email us at [[email protected]](mailto:[email protected])
GHSA
GHSA-jcwg-4q3h-fc3w: A blind SQL injection vulnerability in the ePolicy Orchestrator (ePO) extension of MA prior to 5
ghsa_unreviewed·2022-04-15
CVE-2022-1258 [HIGH] CWE-89 GHSA-jcwg-4q3h-fc3w: A blind SQL injection vulnerability in the ePolicy Orchestrator (ePO) extension of MA prior to 5
A blind SQL injection vulnerability in the ePolicy Orchestrator (ePO) extension of MA prior to 5.7.6 can be exploited by an authenticated administrator on ePO to perform arbitrary SQL queries in the back-end database, potentially leading to command execution on the server.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-04-14
Published