CVE-2018-18251

Name of the Vulnerable Software and Affected Versions Deltek Vision versions prior to 7.6

Description The issue allows the execution of arbitrary SQL statements through a custom RPC over HTTP protocol. This is possible because the system relies on the client binary to enforce security rules and integrity of SQL statements. An attacker can manipulate client HTTP calls to execute arbitrary SQL statements, potentially having unspecified other impact. To perform these attacks, an authenticated session is required. In some cases, client calls are obfuscated by encryption, which can be bypassed due to hard-coded keys and an insecure key rotation protocol. The impact may include remote code execution in some deployments.

Recommendations For Deltek Vision versions prior to 7.6, update to version 7.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the custom RPC over HTTP protocol to minimize the risk of exploitation. Additionally, ensure that the installation documentation is followed to prevent potential remote code execution.