Vulnerability Description
SQL injection vulnerability in ModuleServlet.do in the Storage Manager Profiler in IBM System Storage DS Storage Manager before 10.83.xx.18 on DS Series devices allows remote authenticated users to execute arbitrary SQL commands via the selectedModuleOnly parameter in a state_viewmodulelog action to the ModuleServlet URI.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ibm | Ds Storage Manager Host Software | <= 10.83 |
| Ibm | Ds4100 | All versions |
| Ibm | Ds4200 | 1814 |
| Ibm | Ds4300 | 1722 |
| Ibm | Ds4400 | 1742 |
| Ibm | Ds4500 | 1742 |
| Ibm | Ds4700 | 1814 |
| Ibm | Ds4800 | 1815 |
| Ibm | System Storage Dcs3700 Storage Subsystem | 1818 |
| Ibm | System Storage Ds3200 | 1726 |
| Ibm | System Storage Ds3300 | 1726 |
| Ibm | System Storage Ds3400 | 1726 |
| Ibm | System Storage Ds3512 | 1746 |
| Ibm | System Storage Ds3524 | 1746 |
| Ibm | System Storage Ds3950 Express | 1814 |
| Ibm | System Storage Ds5020 Disk Controller | 1814-20a |
| Ibm | System Storage Ds5100 Storage Controller | 1818 |
| Ibm | System Storage Ds5300 Storage Controller | 1818 |
Related Weaknesses (CWE)
References
- http://www.ibm.com/connections/blogs/PSIRT/entry/secbulletin_stg-storage_cve-201Vendor Advisory
- http://www.zeroscience.mk/codes/ibmssdssmp_sqlixss.txt
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75236
- http://www.ibm.com/connections/blogs/PSIRT/entry/secbulletin_stg-storage_cve-201Vendor Advisory
- http://www.zeroscience.mk/codes/ibmssdssmp_sqlixss.txt
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75236
FAQ
What is CVE-2012-2171?
CVE-2012-2171 is a vulnerability with a CVSS score of 6.5 (MEDIUM). SQL injection vulnerability in ModuleServlet.do in the Storage Manager Profiler in IBM System Storage DS Storage Manager before 10.83.xx.18 on DS Series devices allows remote authenticated users to ex...
How severe is CVE-2012-2171?
CVE-2012-2171 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-2171?
Check the references section above for vendor advisories and patch information. Affected products include: Ibm Ds Storage Manager Host Software, Ibm Ds4100, Ibm Ds4200, Ibm Ds4300, Ibm Ds4400.