PT-2017-18803 · New Relic · New Relic .Net Agent

Published

2017-06-13

Updated

2022-05-17

CVE-2017-9246

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions New Relic .NET Agent versions prior to 6.3.123.0

Description The issue involves SQL injection flaws in safe applications due to the failure to escape quotes during the use of the Slow Queries feature. This can be demonstrated by a mishandled quote in a VALUES clause of an INSERT statement, which can occur after bypassing a SET SHOWPLAN ALL ON protection mechanism.

Recommendations For versions prior to 6.3.123.0, update to version 6.3.123.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Slow Queries feature until a patch is applied. Avoid using the Slow Queries feature with user-inputted data to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2017-9246

GHSA-2RVX-CVFC-MCP2

Affected Products

New Relic .Net Agent

PT-2017-18803 · New Relic · New Relic .Net Agent

CVE-2017-9246

Weakness Enumeration

Related Identifiers

Affected Products

References · 6