CVE-2021-31818 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Octopus	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 40%

Vendor	Product	Version
octopus	server	2018.9.17 ≤ 𝑥 < 2018.13.0
octopus	server	2020.0.0 ≤ 𝑥 < 2020.6.0
octopus	server	2020.6.0 ≤ 𝑥 < 2020.6.5146
octopus	server	2021.1.0 ≤ 𝑥 < 2021.1.7316

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

References

https://advisories.octopus.com/adv/2021-04---SQL-Injection-in-the-Events-REST-API-%28CVE-2021-31818%29.2013233248.html

https://advisories.octopus.com/adv/2021-04---SQL-Injection-in-the-Events-REST-API-%28CVE-2021-31818%29.2013233248.html