CVE-2022-1258

CWE-89 — SQL Injection CWE-1258 CWE-200 — Information Exposure CWE-2125 documents4 sources

Severity

7.2HIGH

EPSS

0.2%

top 52.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mcafee,llc Mcafee Agent EPO Extension Mcafee Agent

Timeline

PublishedApr 14

Latest updateOct 10

Description

A blind SQL injection vulnerability in the ePolicy Orchestrator (ePO) extension of MA prior to 5.7.6 can be exploited by an authenticated administrator on ePO to perform arbitrary SQL queries in the back-end database, potentially leading to command execution on the server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:HExploitability: 1.7 | Impact: 6.0

Affected Packages2 packages

▶CVEListV5mcafee,llc/mcafee_agent_epo_extensionunspecified — 5.7.6

▶NVDmcafee/agent< 5.7.6

🔴Vulnerability Details

GHSA

Exposure of sensitive Slack webhook URLs in debug logs and traces↗2022-10-10

▶

GHSA

Slack Morphism for Rust before 0.41.0 can leak Slack OAuth client information in application debug logs↗2022-07-20

▶

GHSA

GHSA-jcwg-4q3h-fc3w: A blind SQL injection vulnerability in the ePolicy Orchestrator (ePO) extension of MA prior to 5↗2022-04-15

▶

CVEList

SQL injection vulnerability in McAfee Agent's ePO extension↗2022-04-14

▶