CVE-2017-9246

New Relic .NET Agent before 6.3.123.0 adds SQL injection flaws to safe applications via vectors involving failure to escape quotes during use of the Slow Queries feature, as demonstrated by a mishandled quote in a VALUES clause of an INSERT statement, after bypassing a SET SHOWPLAN_ALL ON protection mechanism.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
VendorProductVersion
newrelic.net_agent
𝑥
≤ 6.2.26.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://blog.seanmcelroy.com/2017/05/26/sql-injection-with-new-relic-patched/
https://blog.seanmcelroy.com/2017/05/26/sql-injection-with-new-relic-patched/