Sign-up

ID

VAR-201605-0504


CVE

CVE-2016-4351


TITLE

Trend Micro Email Encryption Gateway Authentication function SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2016-002695

DESCRIPTION

SQL injection vulnerability in the authentication functionality in Trend Micro Email Encryption Gateway (TMEEG) 5.5 before build 1107 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Authentication is not required to exploit this vulnerability. The specific flaw exists within the authentication functionality. The issue lies in the failure to sanitize user-supplied input prior to executing a SQL statement. An attacker could leverage this vulnerability to bypass authentication or execute code under the context of the database. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database

Trust: 2.61

sources: NVD: CVE-2016-4351 // JVNDB: JVNDB-2016-002695 // ZDI: ZDI-16-248 // BID: 89102 // VULHUB: VHN-93170

AFFECTED PRODUCTS

vendor:trendmicromodel:email encryption gatewayscope:lteversion:5.5

Trust: 1.0

vendor:trend micromodel:email encryption gatewayscope:eqversion:5.5 build 1107

Trust: 0.8

vendor:trend micromodel:email encryption gatewayscope:ltversion:5.5

Trust: 0.8

vendor:trend micromodel:email encryption gatewayscope: - version: -

Trust: 0.7

vendor:trend micromodel:email encryption gatewayscope:eqversion:5.5

Trust: 0.6

sources: ZDI: ZDI-16-248 // JVNDB: JVNDB-2016-002695 // CNNVD: CNNVD-201605-128 // NVD: CVE-2016-4351

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-4351
value: CRITICAL

Trust: 1.0

NVD: CVE-2016-4351
value: CRITICAL

Trust: 0.8

ZDI: CVE-2016-4351
value: HIGH

Trust: 0.7

CNNVD: CNNVD-201605-128
value: CRITICAL

Trust: 0.6

VULHUB: VHN-93170
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2016-4351
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 2.5

VULHUB: VHN-93170
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-4351
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2016-4351
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: ZDI: ZDI-16-248 // VULHUB: VHN-93170 // JVNDB: JVNDB-2016-002695 // CNNVD: CNNVD-201605-128 // NVD: CVE-2016-4351

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.9

sources: VULHUB: VHN-93170 // JVNDB: JVNDB-2016-002695 // NVD: CVE-2016-4351

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201605-128

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201605-128

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-002695

PATCH
title:Solution ID: 1114060url:https://esupport.trendmicro.com/solution/en-US/1114060.aspx
Trust: 1.5
title:Trend Micro Email Encryption SQL Repair measures for injecting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=61451
Trust: 0.6
sources:
            
            
            ZDI: ZDI-16-248 // 
            
            
            
            JVNDB: JVNDB-2016-002695 // 
            
            
            
            CNNVD: CNNVD-201605-128

EXTERNAL IDS
db:NVDid:CVE-2016-4351
Trust: 3.5
db:ZDIid:ZDI-16-248
Trust: 2.7
db:JVNDBid:JVNDB-2016-002695
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-3547
Trust: 0.7
db:CNNVDid:CNNVD-201605-128
Trust: 0.7
db:BIDid:89102
Trust: 0.4
db:VULHUBid:VHN-93170
Trust: 0.1
sources:
            
            
            ZDI: ZDI-16-248 // 
            
            
            
            VULHUB: VHN-93170 // 
            
            
            
            BID: 89102 // 
            
            
            
            JVNDB: JVNDB-2016-002695 // 
            
            
            
            CNNVD: CNNVD-201605-128 // 
            
            
            
            NVD: CVE-2016-4351

REFERENCES
url:https://esupport.trendmicro.com/solution/en-us/1114060.aspx
Trust: 2.7
url:http://www.zerodayinitiative.com/advisories/zdi-16-248
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-4351
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-4351
Trust: 0.8
url:http://www.trend.com
Trust: 0.3
url:http://www.zerodayinitiative.com/advisories/zdi-16-248/
Trust: 0.3
sources:
            
            
            ZDI: ZDI-16-248 // 
            
            
            
            VULHUB: VHN-93170 // 
            
            
            
            BID: 89102 // 
            
            
            
            JVNDB: JVNDB-2016-002695 // 
            
            
            
            CNNVD: CNNVD-201605-128 // 
            
            
            
            NVD: CVE-2016-4351

CREDITS
Anonymous
Trust: 1.0
sources:
            
            
            ZDI: ZDI-16-248 // 
            
            
            
            BID: 89102

SOURCES
db:ZDIid:ZDI-16-248
db:VULHUBid:VHN-93170
db:BIDid:89102
db:JVNDBid:JVNDB-2016-002695
db:CNNVDid:CNNVD-201605-128
db:NVDid:CVE-2016-4351

LAST UPDATE DATE
2025-04-12T23:34:59.649000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-16-248date:2016-04-28T00:00:00
db:VULHUBid:VHN-93170date:2016-05-09T00:00:00
db:BIDid:89102date:2016-07-06T14:35:00
db:JVNDBid:JVNDB-2016-002695date:2016-05-17T00:00:00
db:CNNVDid:CNNVD-201605-128date:2021-09-10T00:00:00
db:NVDid:CVE-2016-4351date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:ZDIid:ZDI-16-248date:2016-04-28T00:00:00
db:VULHUBid:VHN-93170date:2016-05-05T00:00:00
db:BIDid:89102date:2016-04-28T00:00:00
db:JVNDBid:JVNDB-2016-002695date:2016-05-17T00:00:00
db:CNNVDid:CNNVD-201605-128date:2016-04-28T00:00:00
db:NVDid:CVE-2016-4351date:2016-05-05T18:59:11.740