Skip to main content

Documentum Content Server CVE-2017-7221

HIGH
SQL Injection (CWE-89)
2017-04-25 cve@mitre.org
8.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Apr 25, 2017 - 14:59 cve.org
HIGH 8.8

DescriptionCVE.org

OpenText Documentum Content Server has an inadequate protection mechanism against SQL injection, which allows remote authenticated users to execute arbitrary code with super-user privileges by leveraging the availability of the dm_bp_transition docbase method with a user-created dm_procedure object, as demonstrated by use of a backspace character in an injected string. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2513.

AnalysisAI

OpenText Documentum Content Server has an inadequate protection mechanism against SQL injection, which allows remote authenticated users to execute arbitrary code with super-user privileges by. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. OpenText Documentum Content Server has an inadequate protection mechanism against SQL injection, which allows remote authenticated users to execute arbitrary code with super-user privileges by leveraging the availability of the dm_bp_transition docbase method with a user-created dm_procedure object, as demonstrated by use of a backspace character in an injected string. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2513. Affected products include: Opentext Documentum Content Server.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2017-15012 HIGH POC
8.8 Oct 13

OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 does not properly validate the i

CVE-2017-15013 HIGH POC
8.8 Oct 13

OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 contains the following design ga

CVE-2017-15276 HIGH POC
8.8 Oct 13

OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 contains the following design ga

CVE-2017-5585 HIGH POC
8.8 Feb 22

OpenText Documentum Content Server (formerly EMC Documentum Content Server) 7.3, when PostgreSQL Database is used and re

CVE-2017-7220 HIGH POC
8.8 Apr 21

OpenText Documentum Content Server allows superuser access via sys_obj_save or save of a crafted object, followed by an

CVE-2023-31871 HIGH POC
7.8 May 18

OpenText Documentum Content Server before 23.2 has a flaw that allows for privilege escalation from a non-privileged Doc

CVE-2015-4533 CRITICAL
9.0 Aug 20

EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 d

CVE-2015-4534 CRITICAL
9.0 Aug 20

Java Method Server (JMS) in EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 befo

CVE-2015-4532 CRITICAL
9.0 Aug 20

EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 d

CVE-2014-4626 CRITICAL
9.0 Dec 17

EMC Documentum Content Server before 6.7 SP1 P29, 6.7 SP2 before P18, 7.0 before P16, and 7.1 before P09 allows remote a

CVE-2017-15014 MEDIUM POC
4.3 Oct 13

OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 contains the following design ga

CVE-2014-4629 CRITICAL
9.0 Dec 06

EMC Documentum Content Server 7.0, 7.1 before 7.1 P10, and 6.7 before SP2 P19 allows remote authenticated users to read

Share

CVE-2017-7221 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy