ARC24-001

Veritas / Arctera Data Insight SQL Injection (SQLi) Vulnerability

Revision History

  • 1.0: December 16, 2024: Initial version
  • 1.1: January 02, 2025: CVE_ID added

Summary

A vulnerability was discovered in Veritas / Arctera Data Insight versions 7.1, and prior.  The vulnerability allows an attacker to modify the syntax of a SQL query in one of the administrative features of the application. This may result in the attacker being able to submit arbitrary SQL commands on the back-end database to create, read, update, or delete data stored in the database.

Issue

CVE ID: CVE-2024-46542

Severity: Medium

CVSS v3.1 Base Score 6.5 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Prerequisites

It is required that the attacker have the role of Application Administrator which allows browsing of the database through the web console.

Affected Versions

Veritas / Arctera Data Insight versions 6.3, 6.3.1, 6.4, 6.4.1, 6.5, 6.5.1, 6.5.2, 6.6, 6.6.1, 6.6.2, 7.0, 7.0.1 and 7.1. Earlier unsupported versions of Veritas / Arctera Data Insight may be affected as well.

Remediation

Customers under a current maintenance contract should upgrade to Data Insight version 7.1.1:
https://www.veritas.com/support/en_US/downloads/update.UPD530310

See the Download Center for available updates: https://www.veritas.com/support/en_US/downloads

Acknowledgement

Veritas / Arctera would like to thank Mario Tesoro for notifying us of this vulnerability.

Questions

For questions or problems regarding these vulnerabilities please contact Veritas / Arctera Technical Support (https://www.arctera.io/support).

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.  VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.  THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Arctera US LLC
6200 Stoneridge Mall Road, Suite 150
Pleasanton, CA 94588