what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

EMC Documentum Digital Asset Manager Blind DQL Injection

EMC Documentum Digital Asset Manager Blind DQL Injection
Posted Jun 5, 2014
Site emc.com

EMC Documentum Digital Asset Manager (DAM) announces a security fix to address blind DQL (Documentum Query Language) injection vulnerability. The DAM thumbnail proxy server allows unauthenticated users to query objects using a vulnerable URL query string parameter. A malicious attacker can potentially conduct Blind DQL injection attacks using the vulnerable parameter to infer or modify the database contents. EMC Documentum Digital Asset Manager versions 6.5 SP3 through SP6 are affected.

tags | advisory
advisories | CVE-2014-2503
SHA-256 | 91095ede0e45fd5a70e325ef49ee1a0b47012f04bd0ecbd47837a21f92c3fdf2

EMC Documentum Digital Asset Manager Blind DQL Injection

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2014-024: EMC Documentum Digital Asset Manager Blind DQL Injection Vulnerability

EMC Identifier: ESA-2014-024

CVE Identifier: CVE-2014-2503

Severity Rating: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected products:

• EMC Documentum Digital Asset Manager 6.5 SP3
• EMC Documentum Digital Asset Manager 6.5 SP4
• EMC Documentum Digital Asset Manager 6.5 SP5
• EMC Documentum Digital Asset Manager 6.5 SP6


Summary:

EMC Documentum Digital Asset Manager (DAM) announces a security fix to address Blind DQL (Documentum Query Language) Injection vulnerability.

Details:

The DAM thumbnail proxy server allows unauthenticated users to query objects using a vulnerable URL query string parameter. A malicious attacker can potentially conduct Blind DQL injection attacks using the vulnerable parameter to infer or modify the database contents.

Resolution:

Customers using EMC DAM 6.5 SP3, 6.5 SP4 and 6.5 SP5 should apply the hotfix from the link given under “Link to remedies”.

Customers using EMC DAM 6.5 SP6 should upgrade to 6.5 SP6 P13 and later as this contains the resolution for this issue.

EMC strongly recommends all customers apply the hotfix or upgrade at the earliest opportunity.

Link to remedies:

• The hotfix for EMC DAM 6.5 SP3, 6.5 SP4 and 6.5 SP5 can be downloaded from:
https://emc.subscribenet.com/control/dctm/download?element=3888781
File Name: DQL_Injection_with_DAM_Proxy_Server_HotFix.zip.
Installation instructions are available in the zip file.
• EMC DAM 6.5 SP6 P13 and later can be downloaded from:
https://emc.subscribenet.com/control/dctm/download?element=4772311



Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867.

Product Security Response Center [security_alert@emc.com]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iEYEARECAAYFAlOPQPQACgkQtjd2rKp+ALwnKACfcDgdR3ezraBQEkGZDGkov/ir
XLUAoJRWVI9447Xns5IRHc7w+9e/yv8C
=efNd
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close