CVE-2021-4088 : SQL injection vulnerability in Data Loss Protection (DLP) ePO extension 11.8.x prior to 11.8.100, 11.7.x prior to 11.7.1

SQL injection vulnerability in Data Loss Protection (DLP) ePO extension 11.8.x prior to 11.8.100, 11.7.x prior to 11.7.101, and 11.6.401 allows a remote authenticated attacker to inject unfiltered SQL into the DLP part of the ePO database. This could lead to remote code execution on the ePO server with privilege escalation.

Published 2022-01-24 16:15:08

Updated 2023-11-15 20:25:05

Source Trellix

View at NVD, CVE.org

Vulnerability category: Sql InjectionExecute codeGain privilege

Exploit prediction scoring system (EPSS) score for CVE-2021-4088

Probability of exploitation activity in the next 30 days: 0.08%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 34 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-4088

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	1.2	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.4	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H	1.7	6.0	McAfee (DEFUNCT)
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: High
8.4	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H	1.7	6.0	Trellix
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-4088

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
Assigned by:
- nvd@nist.gov (Primary)
- psirt@mcafee.com (Primary)
- trellixpsirt@trellix.com (Secondary)

References for CVE-2021-4088

https://kc.mcafee.com/corporate/index?page=content&id=SB10376

Security Bulletin - Data Loss Prevention ePO extension update fixes Blind SQL injection vulnerability (CVE-2021-4088)
Broken Link

Products affected by CVE-2021-4088

Mcafee » Data Loss Prevention » For Epolicy Orchestrator
Versions from including (>=) 11.7.0 and before (<) 11.7.101
cpe:2.3:a:mcafee:data_loss_prevention:*:*:*:*:*:epolicy_orchestrator:*:*
Matching versions
Mcafee » Data Loss Prevention » For Epolicy Orchestrator
Versions from including (>=) 11.8.0 and before (<) 11.8.100
cpe:2.3:a:mcafee:data_loss_prevention:*:*:*:*:*:epolicy_orchestrator:*:*
Matching versions
Mcafee » Data Loss Prevention » Version: 11.6.401 For Epolicy Orchestrator
cpe:2.3:a:mcafee:data_loss_prevention:11.6.401:*:*:*:*:epolicy_orchestrator:*:*
Matching versions

Vulnerability Details : CVE-2021-4088

Exploit prediction scoring system (EPSS) score for CVE-2021-4088

CVSS scores for CVE-2021-4088

CWE ids for CVE-2021-4088

References for CVE-2021-4088

Products affected by CVE-2021-4088