CVE-2016-4999

Name of the Vulnerable Software and Affected Versions Dashbuilder versions prior to 0.6.0.Beta1

Description The issue allows remote attackers to execute arbitrary SQL commands via a data set lookup filter in the Data Set Authoring or Displayer editor UI. This is due to a SQL injection vulnerability in the getStringParameterSQL method.

Recommendations For versions prior to 0.6.0.Beta1, update to version 0.6.0.Beta1 or later to resolve the issue. As a temporary workaround, consider restricting access to the getStringParameterSQL method in the DefaultDialect.java file until a patch is available. Avoid using the data set lookup filter in the Data Set Authoring or Displayer editor UI until the issue is resolved.