Vulnerability Details : CVE-2011-2703
Multiple SQL injection vulnerabilities in MapServer before 4.10.7, 5.x before 5.6.7, and 6.x before 6.0.1 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) OGC filter encoding or (2) WMS time support.
Vulnerability category: Sql Injection
Exploit prediction scoring system (EPSS) score for CVE-2011-2703
Probability of exploitation activity in the next 30 days: 0.38%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 69 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2011-2703
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2011-2703
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-2703
-
http://www.openwall.com/lists/oss-security/2011/07/19/14
oss-security - CVE Request -- MapServer -- Stack based buffer overflow [was: Re: Re: CVE Request -- MapServer -- SQL injections in OGC filter encoding and in WMS time support.]Patch
-
http://lists.osgeo.org/pipermail/mapserver-users/2011-July/069430.html
[mapserver-users] MapServer 6.0.1, 5.6.7 and 4.10.7 releases with security fixesPatch
-
http://www.openwall.com/lists/oss-security/2011/07/19/11
oss-security - CVE Request -- MapServer -- SQL injections in OGC filter encoding and in WMS time support.Patch
-
http://www.debian.org/security/2011/dsa-2285
Debian -- Security Information -- DSA-2285-1 mapserver
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/68682
MapServer OGC filter and WMS time support SQL injection CVE-2011-2703 Vulnerability Report
-
http://trac.osgeo.org/mapserver/ticket/3903
#3903 (Security Vulnerabilities - Possible SQL Injection using OGC filter encoding) – MapServerPatch
-
http://www.openwall.com/lists/oss-security/2011/07/20/15
oss-security - Re: CVE Request -- MapServer -- Stack based buffer overflow [was: Re: Re: CVE Request -- MapServer -- SQL injections in OGC filter encoding and in WMS time support.]Patch
-
http://www.securityfocus.com/bid/48720
MapServer Multiple Security Vulnerabilities
-
https://bugzilla.redhat.com/show_bug.cgi?id=722545
722545 – MapServer SQL injection vulnerabilitiesPatch
-
https://bugzilla.redhat.com/show_bug.cgi?id=723293
723293 – (CVE-2011-2703, CVE-2011-2704, CVE-2011-2975) CVE-2011-2703 CVE-2011-2704 CVE-2011-2975 MapServer (v6.0.1, v5.6.7 and v4.10.7): Multiple SQL injections and one (stack-based) buffer overflow fPatch
Products affected by CVE-2011-2703
- cpe:2.3:a:umn:mapserver:5.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:umn:mapserver:5.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:umn:mapserver:5.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:umn:mapserver:5.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:umn:mapserver:5.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:umn:mapserver:6.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:umn:mapserver:6.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:umn:mapserver:6.0.0:beta7:*:*:*:*:*:*
- cpe:2.3:a:umn:mapserver:6.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:umn:mapserver:6.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:umn:mapserver:6.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:umn:mapserver:6.0.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:umn:mapserver:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:umn:mapserver:6.0.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:umn:mapserver:6.0.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:*:*:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.6.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.8.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.8.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.0.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.4.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.4.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.10.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.10.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.10.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.10.5:*:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.0.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.4.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.4.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.4.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.4.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.4.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.4.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.6.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.6.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.8.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.8.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.8.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.10.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.0.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.2.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.2.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.2.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.6.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:osgeo:mapserver:4.4.0:beta3:*:*:*:*:*:*