Sign-up

ID

VAR-201507-0144


CVE

CVE-2015-2849


TITLE

ANTlabs InnGate Firmware SQL Injection Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2015-04404 // CNNVD: CNNVD-201507-160

DESCRIPTION

SQL injection vulnerability in main.ant in the ANTlabs InnGate firmware on IG 3100, InnGate 3.01 E, InnGate 3.10 E, InnGate 3.10 M, SG 4, and SSG 4 devices, when https is used, allows remote attackers to execute arbitrary SQL commands via the ppli parameter. ANTlabs InnGate is a gateway device designed for operating corporate guest/visitor networks. Multiple InnGate models have been confirmed to be vulnerable to SQL injection and cross-site scripting attacks. ANTlabs InnGate firmware on IG 3100 is a firmware used by ANTlabs in Singapore for devices such as the IG 3100 gateway. A remote attacker can execute arbitrary queries on the underlying database. According to ANTLabs, only HTTPS connections are vulnerable to this type of attack. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database

Trust: 3.15

sources: NVD: CVE-2015-2849 // CERT/CC: VU#485324 // JVNDB: JVNDB-2015-003474 // CNVD: CNVD-2015-04404 // BID: 75560

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2015-04404

AFFECTED PRODUCTS

vendor:antlabsmodel:inngate ig 3.01 escope:eqversion: -

Trust: 1.6

vendor:antlabsmodel:inngate ig 3.10 escope:eqversion: -

Trust: 1.6

vendor:antlabsmodel:inngate ssg 4scope:eqversion: -

Trust: 1.6

vendor:antlabsmodel:inngate sg 4scope:eqversion: -

Trust: 1.6

vendor:antlabsmodel:inngate ig 3.10 mscope:eqversion: -

Trust: 1.6

vendor:antlabsmodel:inngate ig 3100scope:eqversion: -

Trust: 1.6

vendor:antlabsmodel:inngate e-seriesscope:eqversion:3.01

Trust: 0.9

vendor:antlabsmodel:inngate e-seriesscope:eqversion:3.10

Trust: 0.9

vendor:antlabsmodel:inngate m-seriesscope:eqversion:3.10

Trust: 0.9

vendor:antlabsmodel: - scope: - version: -

Trust: 0.8

vendor:antlabsmodel:ig 3100scope:eqversion:model 3100

Trust: 0.8

vendor:antlabsmodel:ig 3100scope:eqversion:model 3101

Trust: 0.8

vendor:antlabsmodel:inngate 3.00 e-seriesscope: - version: -

Trust: 0.8

vendor:antlabsmodel:inngate 3.01 e-seriesscope: - version: -

Trust: 0.8

vendor:antlabsmodel:inngate 3.01 g-seriesscope: - version: -

Trust: 0.8

vendor:antlabsmodel:inngate 3.02 e-seriesscope: - version: -

Trust: 0.8

vendor:antlabsmodel:inngate 3.10 e-seriesscope: - version: -

Trust: 0.8

vendor:antlabsmodel:inngate 3.10 g-seriesscope: - version: -

Trust: 0.8

vendor:antlabsmodel:sg 4scope: - version: -

Trust: 0.8

vendor:antlabsmodel:ssg 4scope: - version: -

Trust: 0.8

vendor:antlabsmodel:ssgscope:eqversion:4

Trust: 0.3

vendor:antlabsmodel:sgscope:eqversion:4

Trust: 0.3

vendor:antlabsmodel:ig3100scope:eqversion:0

Trust: 0.3

sources: CERT/CC: VU#485324 // CNVD: CNVD-2015-04404 // BID: 75560 // JVNDB: JVNDB-2015-003474 // CNNVD: CNNVD-201507-160 // NVD: CVE-2015-2849

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-2849
value: HIGH

Trust: 1.0

NVD: CVE-2015-2849
value: HIGH

Trust: 0.8

CNVD: CNVD-2015-04404
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201507-160
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2015-2849
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2015-04404
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: CNVD: CNVD-2015-04404 // JVNDB: JVNDB-2015-003474 // CNNVD: CNNVD-201507-160 // NVD: CVE-2015-2849

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2015-003474 // NVD: CVE-2015-2849

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201507-160

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201507-160

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-003474

PATCH
title:Advisory: SQL Injection and Reflected Cross Site Scripting Vulnerabilities (CVE-201502849 and CVE-2015-2850)url:http://www.antlabs.com/advisory-sql-injection-reflected-cross-site-scripting-vulnerabilities/
Trust: 0.8
title:Patch for ANTlabs InnGate Firmware SQL Injection Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/60652
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2015-04404 // 
            
            
            
            JVNDB: JVNDB-2015-003474

EXTERNAL IDS
db:CERT/CCid:VU#485324
Trust: 4.1
db:NVDid:CVE-2015-2849
Trust: 3.3
db:BIDid:75560
Trust: 0.9
db:JVNid:JVNVU92209185
Trust: 0.8
db:JVNDBid:JVNDB-2015-003474
Trust: 0.8
db:CNVDid:CNVD-2015-04404
Trust: 0.6
db:CNNVDid:CNNVD-201507-160
Trust: 0.6
sources:
            
            
            CERT/CC: VU#485324 // 
            
            
            
            CNVD: CNVD-2015-04404 // 
            
            
            
            BID: 75560 // 
            
            
            
            JVNDB: JVNDB-2015-003474 // 
            
            
            
            CNNVD: CNNVD-201507-160 // 
            
            
            
            NVD: CVE-2015-2849

REFERENCES
url:http://www.kb.cert.org/vuls/id/485324
Trust: 3.3
url:about vulnerability notes
Trust: 0.8
url:contact us about this vulnerability
Trust: 0.8
url:provide a vendor statement
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2849
Trust: 0.8
url:http://jvn.jp/vu/jvnvu92209185
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2849
Trust: 0.8
url:http://www.antlabs.com/
Trust: 0.3
sources:
            
            
            CERT/CC: VU#485324 // 
            
            
            
            CNVD: CNVD-2015-04404 // 
            
            
            
            BID: 75560 // 
            
            
            
            JVNDB: JVNDB-2015-003474 // 
            
            
            
            CNNVD: CNNVD-201507-160 // 
            
            
            
            NVD: CVE-2015-2849

CREDITS
Devesh Logendran
Trust: 0.3
sources:
            
            
            BID: 75560

SOURCES
db:CERT/CCid:VU#485324
db:CNVDid:CNVD-2015-04404
db:BIDid:75560
db:JVNDBid:JVNDB-2015-003474
db:CNNVDid:CNNVD-201507-160
db:NVDid:CVE-2015-2849

LAST UPDATE DATE
2025-04-13T23:14:31.805000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#485324date:2015-07-06T00:00:00
db:CNVDid:CNVD-2015-04404date:2015-07-13T00:00:00
db:BIDid:75560date:2015-07-06T00:00:00
db:JVNDBid:JVNDB-2015-003474date:2015-07-10T00:00:00
db:CNNVDid:CNNVD-201507-160date:2015-07-08T00:00:00
db:NVDid:CVE-2015-2849date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CERT/CCid:VU#485324date:2015-07-06T00:00:00
db:CNVDid:CNVD-2015-04404date:2015-07-13T00:00:00
db:BIDid:75560date:2015-07-06T00:00:00
db:JVNDBid:JVNDB-2015-003474date:2015-07-10T00:00:00
db:CNNVDid:CNNVD-201507-160date:2015-07-08T00:00:00
db:NVDid:CVE-2015-2849date:2015-07-07T14:59:00.090