Details of VAR-202001-1231

ID

VAR-202001-1231

CVE

CVE-2014-1925

TITLE

Koha In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-008838

DESCRIPTION

SQL injection vulnerability in the MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. NOTE: this can be leveraged by remote attackers using CVE-2014-1924. Koha In SQL An injection vulnerability exists.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Koha is prone to the following security vulnerabilities: 1. An arbitrary file-access vulnerability 2. A directory-traversal vulnerability 3. An arbitrary file-write vulnerability 4. An SQL-injection vulnerability An attacker may leverage these issues to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, read or write arbitrary files from the web server, and potentially obtain sensitive information on the affected application. This may aid in further attacks

Trust: 1.89

sources: NVD: CVE-2014-1925 // JVNDB: JVNDB-2014-008838 // BID: 65448

AFFECTED PRODUCTS

vendor:	koha	model:	koha	scope:	lt	version:	3.08.23	Trust: 1.0
vendor:	koha	model:	koha	scope:	lt	version:	3.12.10	Trust: 1.0
vendor:	koha	model:	koha	scope:	gte	version:	3.10.00	Trust: 1.0
vendor:	koha	model:	koha	scope:	gte	version:	3.14.00	Trust: 1.0
vendor:	koha	model:	koha	scope:	gte	version:	3.12.00	Trust: 1.0
vendor:	koha	model:	koha	scope:	lt	version:	3.14.03	Trust: 1.0
vendor:	koha	model:	koha	scope:	lt	version:	3.10.13	Trust: 1.0
vendor:	koha	model:	library software community koha	scope:	eq	version:	3.8.22	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	eq	version:	3.14.2	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	eq	version:	3.12.9	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	eq	version:	3.10.12	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	ne	version:	3.8.23	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	ne	version:	3.14.3	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	ne	version:	3.12.10	Trust: 0.3
vendor:	koha	model:	library software community koha	scope:	ne	version:	3.10.13	Trust: 0.3

sources: BID: 65448 // NVD: CVE-2014-1925

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-1925
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2014-1925
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202001-1093
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2014-1925
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2014-1925
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2014-1925
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2014-008838 // CNNVD: CNNVD-202001-1093 // NVD: CVE-2014-1925

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.0
problemtype:	SQL injection (CWE-89) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2014-008838 // NVD: CVE-2014-1925

THREAT TYPE

network

Trust: 0.3

sources: BID: 65448

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202001-1093

PATCH

title:	Bug 11666 Koha	url:	https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11666	Trust: 0.8
title:	Koha SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=112804	Trust: 0.6

sources: JVNDB: JVNDB-2014-008838 // CNNVD: CNNVD-202001-1093

EXTERNAL IDS

db:	NVD	id:	CVE-2014-1925	Trust: 2.7
db:	OPENWALL	id:	OSS-SECURITY/2014/02/07/10	Trust: 1.6
db:	OPENWALL	id:	OSS-SECURITY/2014/02/10/3	Trust: 1.6
db:	JVNDB	id:	JVNDB-2014-008838	Trust: 0.8
db:	CNNVD	id:	CNNVD-202001-1093	Trust: 0.6
db:	BID	id:	65448	Trust: 0.3

sources: BID: 65448 // JVNDB: JVNDB-2014-008838 // CNNVD: CNNVD-202001-1093 // NVD: CVE-2014-1925

REFERENCES

url:	http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11666	Trust: 1.9
url:	http://koha-community.org/security-release-february-2014/	Trust: 1.9
url:	http://www.openwall.com/lists/oss-security/2014/02/07/10	Trust: 1.6
url:	http://www.openwall.com/lists/oss-security/2014/02/10/3	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2014-1925	Trust: 1.4
url:	http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11660	Trust: 0.3
url:	http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11661	Trust: 0.3
url:	http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11662	Trust: 0.3
url:	http://koha-community.org/	Trust: 0.3

sources: BID: 65448 // JVNDB: JVNDB-2014-008838 // CNNVD: CNNVD-202001-1093 // NVD: CVE-2014-1925

CREDITS

Chris Cormack, Galen Charlton, and John Lightsey

Trust: 0.3

sources: BID: 65448

SOURCES

db:	BID	id:	65448
db:	JVNDB	id:	JVNDB-2014-008838
db:	CNNVD	id:	CNNVD-202001-1093
db:	NVD	id:	CVE-2014-1925

LAST UPDATE DATE

2024-11-23T22:16:40.034000+00:00

SOURCES UPDATE DATE

db:	BID	id:	65448	date:	2014-02-07T00:00:00
db:	JVNDB	id:	JVNDB-2014-008838	date:	2020-02-13T00:00:00
db:	CNNVD	id:	CNNVD-202001-1093	date:	2021-01-04T00:00:00
db:	NVD	id:	CVE-2014-1925	date:	2024-11-21T02:05:17.213

SOURCES RELEASE DATE

db:	BID	id:	65448	date:	2014-02-07T00:00:00
db:	JVNDB	id:	JVNDB-2014-008838	date:	2020-02-13T00:00:00
db:	CNNVD	id:	CNNVD-202001-1093	date:	2020-01-24T00:00:00
db:	NVD	id:	CVE-2014-1925	date:	2020-01-24T17:15:12.407