Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in SugarCRM

PRINT PAGE

IT Security

IPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in SugarCRM

August 24, 2009
>> JAPANESE

The Information-technology Promotion Agency (IPA, Chairman Koji Nishigaki) announced a security alert on August 24, 2009 concerning security vulnerability in “SugarCRM”.
This vulnerability allows the execution of arbitrary SQL code injected by the attacker logged-in to “SugarCRM”.
If exploited, there is a possibility that the database may be operated without proper authorization, resulting in events such as the loss of registered personal information and the deletion of data.
To fix this vulnerability, update to the fixed version supplied by the vendor.

1.Overview

“SugarCRM” is a customer management software provided by SugarCRM Inc.. An open-source and commercial version of the software is available.

SQL injection security vulnerability exists in the communication process between “SugarCRM” and database.

If this vulnerability is exploited, the attacker may obtain administrator privileges for “SugarCRM”. This allows the database to be operated without proper authorization, resulting in the possibility that events such as the loss of personal information registered on the “SugarCRM” and the deletion of data may occur.

For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2009-000056

The IPA first received a report concerning this vulnerability through the creditee below on June 29, 2009, and the JCPERT Coordination Center (JCPERT/CC), in line with the Information Security Early Warning Partnership, made adjustments to clarify the matter with the vendor and made the announcement public on August 24, 2009.
Credit: Takeshi Terada, Mitsui Bussan Secure Directions Inc.

2.Impact

In the event a website created by “SugarCRM” experiences an SQL injection attack by a logged-in attacker, he or she may obtain administrator privileges for “SugarCRM”.

This allows the database to be operated without proper authorization, resulting in the possibility that events such as the loss of personal information registered on the “SugarCRM” and the deletion of data may occur.

Security Alert for Vulnerability in SugarCRM

3.Solution

To fix this vulnerability, update to the fixed version supplied by the vendor.

4.CVSS Severity

(1)Evaluation Result

Severity Rating
(CVSS base score)
□ Low
(0.0~3.9)
■ Medium
(4.0~6.9)
□ High
(7.0~10.0)
CVSS base score   6.5  

(2) Base Score Metrics

AV:Access Vector □ Local □ Adjacent
 Network
■ Network
AC:Access Complexity □ High □ Medium ■ Low
Au:Authentication □ Multiple ■ Single □ None
C:Confidentiality Impact □ None ■ Partial □ Complete
I:Integrity Impact □ None ■ Partial □ Complete
A:Availability Impact □ None ■ Partial □ Complete

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as “SQL Injection (CWE-89)”.

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: