Nokia IMPACT: Attacker can access sensitive database data

Summary

An attacker who has been authenticated to a Nokia IMPACT system can access sensitive data from the database, including the user, database name, and version information. This is a concern for Nokia IMPACT users because it could potentially allow unauthorized access to sensitive data. To address this issue, update to a fixed version of Nokia IMPACT as soon as possible.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
nokia	impact	<= 19.11.2.10-20210118042150283	–

Original title

Nokia IMPACT through 19.11.2.10-20210118042150283 allows an authenticated user to perform a Time-based Boolean Blind SQL Injection attack on the endpoint /ui/rest-proxy/campaign/statistic (for the ...

Original description

Nokia IMPACT through 19.11.2.10-20210118042150283 allows an authenticated user to perform a Time-based Boolean Blind SQL Injection attack on the endpoint /ui/rest-proxy/campaign/statistic (for the View Campaign page) via the sortColumn HTTP GET parameter. This allows an attacker to access sensitive data from the database and obtain access to the database user, database name, and database version information.

nvd CVSS3.1 8.2

Vulnerability type

CWE-89 SQL Injection

https://www.gruppotim.it/it/footer/red-team/2021/Motive-Impact-CVE-2021-35484.ht... Third Party Advisory
https://www.nokia.com/networks/solutions/impact-iot-platform/ Product
https://www.nokia.com/notices/responsible-disclosure/ Issue Tracking