PT-2023-26792 · Bmc · Bmc Control-M
Published
2023-07-31
·
Updated
2023-08-04
·
CVE-2023-39122
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
BMC Control-M versions prior to 9.0.21
BMC Control-M version 9.0.20.200
Description
The issue allows SQL injection via the "/RF-Server/report/deleteReport" API endpoint, specifically through the
report-id parameter.Recommendations
For BMC Control-M version 9.0.20.200, apply the available patch to fix the issue.
For versions prior to 9.0.21, update to version 9.0.21 or later to resolve the issue.
As a temporary workaround, consider restricting access to the "/RF-Server/report/deleteReport" API endpoint until a patch or update is applied.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bmc Control-M