CVE-2020-29493 : DELL EMC Avamar Server, versions 19.1, 19.2, 19.3, contain a SQL Injection Vulne

DELL EMC Avamar Server, versions 19.1, 19.2, 19.3, contain a SQL Injection Vulnerability in Fitness Analyzer. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database, causing unauthorized read and write access to application data. Exploitation may lead to leakage or deletion of sensitive backup data; hence the severity is Critical. Dell EMC recommends customers to upgrade at the earliest opportunity.

Published 2021-01-14 21:15:13

Updated 2021-01-21 17:54:24

Source Dell

View at NVD, CVE.org

Vulnerability category: Sql Injection

Products affected by CVE-2020-29493

Dell » Emc Integrated Data Protection Appliance » Version: 2.6
cpe:2.3:a:dell:emc_integrated_data_protection_appliance:2.6:*:*:*:*:*:*:*
Matching versions
Dell » Emc Integrated Data Protection Appliance » Version: 2.5
cpe:2.3:a:dell:emc_integrated_data_protection_appliance:2.5:*:*:*:*:*:*:*
Matching versions
Dell » Emc Avamar Server » Version: 19.1
cpe:2.3:a:dell:emc_avamar_server:19.1:*:*:*:*:*:*:*
Matching versions
Dell » Emc Avamar Server » Version: 19.3
cpe:2.3:a:dell:emc_avamar_server:19.3:*:*:*:*:*:*:*
Matching versions
Dell » Emc Avamar Server » Version: 19.2
cpe:2.3:a:dell:emc_avamar_server:19.2:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-29493

EPSS FAQ

5.80%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 90 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-29493

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
10.0	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H	3.9	6.0	Dell
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-29493

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Assigned by:
- nvd@nist.gov (Primary)
- security_alert@emc.com (Secondary)

References for CVE-2020-29493

https://www.dell.com/support/kbdoc/en-us/000181806/dsa-2020-272-dell-emc-avamar-server-security-update-for-multiple-vulnerabilities

Access Denied
Patch;Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-29493

Products affected by CVE-2020-29493

Exploit prediction scoring system (EPSS) score for CVE-2020-29493

CVSS scores for CVE-2020-29493

CWE ids for CVE-2020-29493

References for CVE-2020-29493