CVE-2014-3997 : SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Passw

SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to MetadataServlet.dat.

Published 2014-12-05 15:59:01

Updated 2025-04-12 10:46:41

Source MITRE

View at NVD, CVE.org

Vulnerability category: Sql Injection

Products affected by CVE-2014-3997

Zohocorp » Manageengine It360 »
Versions up to, including, (<=) 10.3.3
cpe:2.3:a:zohocorp:manageengine_it360:*:*:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine It360 » Managed Service Providers Edition
Versions up to, including, (<=) 10.3.3
cpe:2.3:a:zohocorp:manageengine_it360:*:*:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 5.2
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.2:*:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 5.4
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.4:*:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.2 Update Build6201
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.2:build6201:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.4
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:*:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.4 Update Build6402
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:build6402:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.5 Update Build6504
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.5:build6504:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.6 Update Build6600
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.6:build6600:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.9
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:*:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.9 Update Build6901
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6901:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 7.0 Update Build7000
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:build7000:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 7.0 Update Build7002
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:build7002:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 5.0
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.0:*:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.4 Update Build6403
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:build6403:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.4 Update Build6404
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:build6404:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.5
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.5:*:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.5 Update Build6503
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.5:build6503:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.9 Update Build6902
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6902:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.9 Update Build6903
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6903:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.9 Update Build6904
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6904:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 7.0
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:*:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.0
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.0:*:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.0 Update Build6002
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.0:build6002:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.1 Update Build6104
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.1:build6104:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.2
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.2:*:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.7 Update Build6701
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.7:build6701:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.8 Update Build6800
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.8:build6800:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.8 Update Build6801
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.8:build6801:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.8 Update Build6802
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.8:build6802:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 5.1
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.1:*:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 5.3
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.3:*:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.3
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.3:*:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.4 Update Build6401
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:build6401:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.5 Update Build6505
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.5:build6505:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.7 Update Build6700
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.7:build6700:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.8 Update Build6803
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.8:build6803:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.9 Update Build6900
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6900:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 7.0 Update Build7001
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:build7001:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 7.0 Update Build7003
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:build7003:*:*:-:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 5.1 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.1:*:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 5.3 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.3:*:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.2 Update Build6201 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.2:build6201:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.4 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:*:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.5 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.5:*:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.5 Update Build6504 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.5:build6504:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.6 Update Build6600 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.6:build6600:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.8 Update Build6802 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.8:build6802:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.9 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:*:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 7.0 Update Build7000 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:build7000:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 7.0 Update Build7002 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:build7002:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.0 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.0:*:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.0 Update Build6002 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.0:build6002:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.1 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.1:*:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.1 Update Build6104 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.1:build6104:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.7 Update Build6700 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.7:build6700:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.7 Update Build6701 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.7:build6701:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.8 Update Build6800 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.8:build6800:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.8 Update Build6801 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.8:build6801:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 7.0 Update Build7003 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:build7003:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 5.0 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.0:*:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.4 Update Build6401 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:build6401:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.4 Update Build6402 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:build6402:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.4 Update Build6403 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:build6403:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.4 Update Build6404 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.4:build6404:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.9 Update Build6901 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6901:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.9 Update Build6902 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6902:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.9 Update Build6903 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6903:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.9 Update Build6904 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6904:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 5.2 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.2:*:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 5.4 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:5.4:*:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.2 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.2:*:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.3 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.3:*:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.5 Update Build6503 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.5:build6503:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.5 Update Build6505 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.5:build6505:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.8 Update Build6803 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.8:build6803:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 6.9 Update Build6900 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:6.9:build6900:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 7.0 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:*:*:*:managed_service_providers:*:*:*
Matching versions
Zohocorp » Manageengine Password Manager Pro » Version: 7.0 Update Build7001 Managed Service Providers Edition
cpe:2.3:a:zohocorp:manageengine_password_manager_pro:7.0:build7001:*:*:managed_service_providers:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-3997

EPSS FAQ

1.29%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 78 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-3997

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2014-3997

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-3997

https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc_pmp_it360_sqli.txt

Exploit

CVEs referencing this url
http://seclists.org/fulldisclosure/2014/Aug/85

Full Disclosure: Re: [The ManageOwnage Series, part I]: blind SQL injection in two servlets (metasploit module included)
Exploit;Mailing List;Third Party Advisory

CVEs referencing this url
https://raw.githubusercontent.com/pedrib/PoC/master/msf_modules/manageengine_dc_pmp_sqli.rb

Exploit

CVEs referencing this url
http://seclists.org/fulldisclosure/2014/Aug/55

Full Disclosure: [The ManageOwnage Series, part I]: blind SQL injection in two servlets (metasploit module included)
Exploit;Mailing List;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2014-3997

Products affected by CVE-2014-3997

Exploit prediction scoring system (EPSS) score for CVE-2014-3997

CVSS scores for CVE-2014-3997

CWE ids for CVE-2014-3997

References for CVE-2014-3997