JVN#93833849
Panasonic Video Insight VMS vulnerable to SQL injection
Overview
Video Insight VMS provided by Panasonic Corporation contains a SQL injection vulnerability.
Products Affected
- Video Insight 7.3.2.5 VMS and earlier
For more information, refer to the information provided by the developer.
【2020/06/25 Update】
When this advisory was first published on 2019 September 2, the affected version was described as 7.3.2.5. However, the developer found that the fix was not adequate in version 7.5, thus version 7.6.1 that contains the fix was released later.
Description
Video Insight VMS provided by Panasonic Corporation is a video management suite for video security system. Vide Insight VMS contains a SQL injection vulnerability (CWE-89).
Impact
A logged in user may execute an arbitrary SQL statement to the database.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
【2020/06/25 Update】
When this advisory was first published on 2019 September 2, the affected version was described as 7.3.2.5. However, the developer found that the fix was not adequate in version 7.5, thus version 7.6.1 that contains the fix was released later.
Vendor Status
| Vendor | Link |
| Panasonic Corporation | Release Notes –Video Insight IP Server 7.6.1 Maintenance Release |
| Download |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Panasonic Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Panasonic Corporation coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2019-5996 |
| JVN iPedia |
JVNDB-2019-000056 |
Update History
- 2020/06/25
- Fixed the information under the sections [Products Affected], [Solution], and [Vendor Status].