An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The database connection strings accept custom unsafe arguments, such as ENABLE_LOCAL_INFILE, that can be leveraged by attackers to enable MySQL Load Data Local (rogue MySQL server) attacks.
References
Link | Resource |
---|---|
http://www.ozeki.hu/index.php?owpn=231 | Product Vendor Advisory |
https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-14027-MySQL%20LOAD%20DATA%20LOCAL%20INFILE%20Attack-Ozeki%20SMS%20Gateway | Exploit Third Party Advisory |
Configurations
Information
Published : 2020-09-22 11:15
Updated : 2020-09-25 19:33
NVD link : CVE-2020-14027
Mitre link : CVE-2020-14027
JSON object : View
CWE
CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Products Affected
ozeki
- ozeki_ng_sms_gateway