CVE-2020-15526 — MEDIUM (5.9)

Vulnerability Description

In Redgate SQL Monitor 7.1.4 through 10.1.6 (inclusive), the scope for disabling some TLS security certificate checks can extend beyond that defined by various options on the Configuration > Notifications pages to disable certificate checking for alert notifications. These TLS security checks are also ignored during monitoring of VMware machines. This would make SQL Monitor vulnerable to potential man-in-the-middle attacks when sending alert notification emails, posting to Slack or posting to webhooks. The vulnerability is fixed in version 10.1.7.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Red-Gate	Sql Monitor	>= 7.1.4, <= 10.1.6

Related Weaknesses (CWE)

CWE-295

References

https://www.red-gate.com/privacy-and-security/vulnerabilities/2020-07-08-sql-monVendor Advisory
https://www.red-gate.com/privacy-and-security/vulnerabilities/2020-07-08-sql-monVendor Advisory

FAQ

What is CVE-2020-15526?

CVE-2020-15526 is a vulnerability with a CVSS score of 5.9 (MEDIUM). In Redgate SQL Monitor 7.1.4 through 10.1.6 (inclusive), the scope for disabling some TLS security certificate checks can extend beyond that defined by various options on the Configuration > Notificat...

How severe is CVE-2020-15526?

CVE-2020-15526 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-15526?

Check the references section above for vendor advisories and patch information. Affected products include: Red-Gate Sql Monitor.