CVE-2018-25075 MEDIUM

CVE-2018-25075: karsany OBridge ProcedureDao.java getAllStandaloneProcedureAndFunction sql injection

Vendor Karsany

Product OBridge

Weakness CWE-89 · SQLi

Published January 15, 2023

Last update November 25, 2024

View on NVD All CVEs

CVSS base score

4.6/10

Attack vector Adjacent

Attack complexity High

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

Description

A vulnerability classified as critical has been found in karsany OBridge up to 1.3. Affected is the function getAllStandaloneProcedureAndFunction of the file obridge-main/src/main/java/org/obridge/dao/ProcedureDao.java. The manipulation leads to sql injection. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version 1.4 is able to address this issue. The name of the patch is 52eca4ad05f3c292aed3178b2f58977686ffa376. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218376.

Key dates

Disclosure timeline

January 15, 2023 CVE published

November 25, 2024 Record updated

Identifiers

CVE CVE-2018-25075

CWE CWE-89

CVSS 4.6 / MEDIUM

Affected versions

Vendor Karsany

Product OBridge

Affected 1.0

Vendor Karsany

Product OBridge

Affected 1.1

Vendor Karsany

Product OBridge

Affected 1.2

Vendor Karsany

Product OBridge

Affected 1.3