HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in SugarCRM
August 24, 2009
>> JAPANESE
The Information-technology Promotion Agency (IPA, Chairman Koji Nishigaki) announced a security alert on August 24, 2009 concerning security vulnerability in “SugarCRM”.
This vulnerability allows the execution of arbitrary SQL code injected by the attacker logged-in to “SugarCRM”.
If exploited, there is a possibility that the database may be operated without proper authorization, resulting in events such as the loss of registered personal information and the deletion of data.
To fix this vulnerability, update to the fixed version supplied by the vendor.
“SugarCRM” is a customer management software provided by SugarCRM Inc.. An open-source and commercial version of the software is available.
SQL injection security vulnerability exists in the communication process between “SugarCRM” and database.
If this vulnerability is exploited, the attacker may obtain administrator privileges for “SugarCRM”. This allows the database to be operated without proper authorization, resulting in the possibility that events such as the loss of personal information registered on the “SugarCRM” and the deletion of data may occur.
For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2009-000056
The IPA first received a report concerning this vulnerability through the creditee below on June 29, 2009, and the JCPERT Coordination Center (JCPERT/CC), in line with the Information Security Early Warning Partnership, made adjustments to clarify the matter with the vendor and made the announcement public on August 24, 2009.
Credit: Takeshi Terada, Mitsui Bussan Secure Directions Inc.
In the event a website created by “SugarCRM” experiences an SQL injection attack by a logged-in attacker, he or she may obtain administrator privileges for “SugarCRM”.
This allows the database to be operated without proper authorization, resulting in the possibility that events such as the loss of personal information registered on the “SugarCRM” and the deletion of data may occur.
To fix this vulnerability, update to the fixed version supplied by the vendor.
Severity Rating (CVSS base score) |
□ Low (0.0~3.9) |
■ Medium (4.0~6.9) |
□ High (7.0~10.0) |
---|---|---|---|
CVSS base score | 6.5 |
AV:Access Vector | □ Local | □ Adjacent Network |
■ Network |
---|---|---|---|
AC:Access Complexity | □ High | □ Medium | ■ Low |
Au:Authentication | □ Multiple | ■ Single | □ None |
C:Confidentiality Impact | □ None | ■ Partial | □ Complete |
I:Integrity Impact | □ None | ■ Partial | □ Complete |
A:Availability Impact | □ None | ■ Partial | □ Complete |
■:Selected Values
This vulnerability has been CWE classified as “SQL Injection (CWE-89)”.
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: