JVN#31035930 SugarCRM vulnerable to SQL injection

Overview

SugarCRM contains a SQL injection vulnerability.

Products Affected

SugarCRM Community/Professional/Enterprise Editions 5.2.0g and earlier
SugarCRM Community/Professional/Enterprise Editions 5.0.0k and earlier
SugarCRM Community/Professional/Enterprise Editions 4.5.1o and earlier

Description

SugarCRM is a customer relationship management (CRM) software. SugarCRM contains a SQL injection vulnerability.

Impact

As a result of SQL injection, contents within the database can be compromised.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor	Link
SugarCRM Inc.	Sugar Community Edition 5.2.0 Patch H
	Sugar Community Edition 5.0.0l and 4.5.1p Now Available
	Download Sugar Community Edition
	SugarCRM - Downloads - Patch Archive

References

IPA
Security Alert for Vulnerability in SugarCRM

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2009.08.24

Measures	Conditions	Severity
Access Required	Routed - can be attacked over the Internet using packets	High
Authentication	Standard - login caused to be created by an administrator	Low-Medium
User Interaction Required	None - the vulnerability can be exploited without an honest user taking any action	High
Exploit Complexity	Medium-High - expertise and/or luck required (guessing correctly in medium-sized space, kernel expertise)	Medium

Description of each analysis measures

Credit

Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2009-2978
JVN iPedia	JVNDB-2009-000056

Update History

2009/08/26: Information under the section "Products Affected" and "Vulnerability Analysis by JPCERT/CC" have been modified.