IPA/ISEC：Vulnerabilities：Security Alert for Vulnerability in SugarCRM

August 24, 2009
>> JAPANESE

1.Overview

“SugarCRM” is a customer management software provided by SugarCRM Inc.. An open-source and commercial version of the software is available.

SQL injection security vulnerability exists in the communication process between “SugarCRM” and database.

If this vulnerability is exploited, the attacker may obtain administrator privileges for “SugarCRM”. This allows the database to be operated without proper authorization, resulting in the possibility that events such as the loss of personal information registered on the “SugarCRM” and the deletion of data may occur.

For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2009-000056

The IPA first received a report concerning this vulnerability through the creditee below on June 29, 2009, and the JCPERT Coordination Center (JCPERT/CC), in line with the Information Security Early Warning Partnership, made adjustments to clarify the matter with the vendor and made the announcement public on August 24, 2009.
Credit: Takeshi Terada, Mitsui Bussan Secure Directions Inc.

2.Impact

In the event a website created by “SugarCRM” experiences an SQL injection attack by a logged-in attacker, he or she may obtain administrator privileges for “SugarCRM”.

This allows the database to be operated without proper authorization, resulting in the possibility that events such as the loss of personal information registered on the “SugarCRM” and the deletion of data may occur.

3.Solution

To fix this vulnerability, update to the fixed version supplied by the vendor.

4.CVSS Severity

(1)Evaluation Result

(2) Base Score Metrics

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as “SQL Injection (CWE-89)”.

Contact