VAR-201406-0322
Vulnerability from variot - Updated: 2025-04-13 23:22SQL injection vulnerability in the web service in F5 ARX Data Manager 3.0.0 through 3.1.0 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') http://cwe.mitre.org/data/definitions/89.htmlDepending on the user who can log in to the product, any database on the database referenced by the product SQL The command may be executed. Authentication is not required to exploit this vulnerability. The specific flaw exists within the discoverFilerBasicInfo.jsft page. An attacker is able to inject SQL through the filerName field in this page, and use that to gain full administrator credentials for Data Manager. An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. The solution supports data migration, storage tiering, and storage capacity balancing
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201406-0322",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "arx data manager",
"scope": "eq",
"trust": 1.6,
"vendor": "f5",
"version": "3.0.0"
},
{
"model": "arx data manager",
"scope": "eq",
"trust": 1.6,
"vendor": "f5",
"version": "3.1.0"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "f5",
"version": null
},
{
"model": "arx data manager",
"scope": "lte",
"trust": 0.8,
"vendor": "f5",
"version": "3.0.0 from 3.1.0"
},
{
"model": "data manager",
"scope": null,
"trust": 0.7,
"vendor": "f5",
"version": null
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#210884"
},
{
"db": "ZDI",
"id": "ZDI-14-293"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002948"
},
{
"db": "CNNVD",
"id": "CNNVD-201406-420"
},
{
"db": "NVD",
"id": "CVE-2014-2949"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:f5:arx_data_manager",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-002948"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Andrea Micalizzi (rgod)",
"sources": [
{
"db": "ZDI",
"id": "ZDI-14-293"
}
],
"trust": 0.7
},
"cve": "CVE-2014-2949",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CVE-2014-2949",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.0,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "NONE",
"availabilityRequirement": "LOW",
"baseScore": 5.5,
"collateralDamagePotential": "LOW",
"confidentialityImpact": "PARTIAL",
"confidentialityRequirement": "MEDIUM",
"enviromentalScore": 1.4,
"exploitability": "FUNCTIONAL",
"exploitabilityScore": 8.0,
"id": "CVE-2014-2949",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"integrityRequirement": "MEDIUM",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"remediationLevel": "UNAVAILABLE",
"reportConfidence": "CONFIRMED",
"severity": "MEDIUM",
"targetDistribution": "LOW",
"trust": 0.8,
"userInteractionRequired": null,
"vector_string": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "IPA",
"availabilityImpact": "None",
"baseScore": 5.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "JVNDB-2014-002948",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "ZDI",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2014-2949",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "MEDIUM",
"trust": 0.7,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "VHN-70888",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:S/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2014-2949",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2014-2949",
"trust": 0.8,
"value": "MEDIUM"
},
{
"author": "IPA",
"id": "JVNDB-2014-002948",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2014-2949",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201406-420",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-70888",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#210884"
},
{
"db": "ZDI",
"id": "ZDI-14-293"
},
{
"db": "VULHUB",
"id": "VHN-70888"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002948"
},
{
"db": "CNNVD",
"id": "CNNVD-201406-420"
},
{
"db": "NVD",
"id": "CVE-2014-2949"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SQL injection vulnerability in the web service in F5 ARX Data Manager 3.0.0 through 3.1.0 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) http://cwe.mitre.org/data/definitions/89.htmlDepending on the user who can log in to the product, any database on the database referenced by the product SQL The command may be executed. Authentication is not required to exploit this vulnerability. The specific flaw exists within the discoverFilerBasicInfo.jsft page. An attacker is able to inject SQL through the filerName field in this page, and use that to gain full administrator credentials for Data Manager. \nAn attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. The solution supports data migration, storage tiering, and storage capacity balancing",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-2949"
},
{
"db": "CERT/CC",
"id": "VU#210884"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002948"
},
{
"db": "ZDI",
"id": "ZDI-14-293"
},
{
"db": "BID",
"id": "68078"
},
{
"db": "VULHUB",
"id": "VHN-70888"
}
],
"trust": 3.33
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.kb.cert.org/vuls/id/210884",
"trust": 0.8,
"type": "unknown"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#210884"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2014-2949",
"trust": 3.5
},
{
"db": "CERT/CC",
"id": "VU#210884",
"trust": 3.3
},
{
"db": "ZDI",
"id": "ZDI-14-293",
"trust": 1.8
},
{
"db": "BID",
"id": "68078",
"trust": 1.4
},
{
"db": "JVN",
"id": "JVNVU91561766",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002948",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-2308",
"trust": 0.7
},
{
"db": "CNNVD",
"id": "CNNVD-201406-420",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-70888",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#210884"
},
{
"db": "ZDI",
"id": "ZDI-14-293"
},
{
"db": "VULHUB",
"id": "VHN-70888"
},
{
"db": "BID",
"id": "68078"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002948"
},
{
"db": "CNNVD",
"id": "CNNVD-201406-420"
},
{
"db": "NVD",
"id": "CVE-2014-2949"
}
]
},
"id": "VAR-201406-0322",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-70888"
}
],
"trust": 0.01
},
"last_update_date": "2025-04-13T23:22:34.245000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SOL14791 - End of Software Development for Data Manager 3.x",
"trust": 0.8,
"url": "http://support.f5.com/kb/en-us/solutions/public/14000/700/sol14791.html"
},
{
"title": "SOL15310 - Data Manager SQL Injection Remote Code Execution vulnerability CVE-2014-2949",
"trust": 0.8,
"url": "http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15310.html?sr=38021626"
},
{
"title": "This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.05/02/2014 - ZDI disclosed vulnerability to vendor05/12/2014 - Vendor acknowledged06/16/2014 - ZDI wrote F5 to ask for clarification about: - Vendor wrote that they notified ZDI of closure on 06/09/2014 (this was not received) and indicated that \"our publications team has determined that this release provides the appropriate level of disclosure\"06/17/2014 - ZDI acknowledged06/18/2014 - ZDI wrote to confirm mitigation only06/18/2014 - Vendor requested contact06/19/2014 - ZDI replied07/25/2014 - ZDI again wrote to confirm our understanding08/12/2014 - ZDI published advisory-- Vendor Mitigation:To mitigate this vulnerability, you can stop the Data Manager Service when not in use. To do so, perform the following procedure:Impact of action: Performing the following procedure should not have a negative impact on your system.Log in as admin to Data Manager Web Application.In the left navigation tree, click Tasks.Ensure that all tasks are completed (or canceled) before proceeding.Close the Data Manager Web Application.From the Programs menu, open the Data Manager Control Panel.Click the Main tab.In the Service Status section, click the Stop button.When necessary, you can restart the Data Manager Service by clicking the Start button.http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15310.html",
"trust": 0.7,
"url": "http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15310.html06/16/2014"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-14-293"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002948"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-89",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-70888"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002948"
},
{
"db": "NVD",
"id": "CVE-2014-2949"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.3,
"url": "http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15310.html?sr=38021626"
},
{
"trust": 2.5,
"url": "http://www.kb.cert.org/vuls/id/210884"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/bid/68078"
},
{
"trust": 1.1,
"url": "http://www.zerodayinitiative.com/advisories/zdi-14-293/"
},
{
"trust": 0.8,
"url": "http://support.f5.com/kb/en-us/solutions/public/14000/700/sol14791.html"
},
{
"trust": 0.8,
"url": "http://cwe.mitre.org/data/definitions/89.html"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2949"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu91561766/index.html"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2949"
},
{
"trust": 0.7,
"url": "http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15310.html06/16/2014"
},
{
"trust": 0.7,
"url": "http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15310.html"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#210884"
},
{
"db": "ZDI",
"id": "ZDI-14-293"
},
{
"db": "VULHUB",
"id": "VHN-70888"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002948"
},
{
"db": "CNNVD",
"id": "CNNVD-201406-420"
},
{
"db": "NVD",
"id": "CVE-2014-2949"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#210884"
},
{
"db": "ZDI",
"id": "ZDI-14-293"
},
{
"db": "VULHUB",
"id": "VHN-70888"
},
{
"db": "BID",
"id": "68078"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002948"
},
{
"db": "CNNVD",
"id": "CNNVD-201406-420"
},
{
"db": "NVD",
"id": "CVE-2014-2949"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-06-17T00:00:00",
"db": "CERT/CC",
"id": "VU#210884"
},
{
"date": "2014-08-12T00:00:00",
"db": "ZDI",
"id": "ZDI-14-293"
},
{
"date": "2014-06-18T00:00:00",
"db": "VULHUB",
"id": "VHN-70888"
},
{
"date": "2014-06-17T00:00:00",
"db": "BID",
"id": "68078"
},
{
"date": "2014-06-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-002948"
},
{
"date": "2014-06-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201406-420"
},
{
"date": "2014-06-18T16:55:07.627000",
"db": "NVD",
"id": "CVE-2014-2949"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-06-17T00:00:00",
"db": "CERT/CC",
"id": "VU#210884"
},
{
"date": "2014-08-12T00:00:00",
"db": "ZDI",
"id": "ZDI-14-293"
},
{
"date": "2015-12-04T00:00:00",
"db": "VULHUB",
"id": "VHN-70888"
},
{
"date": "2014-08-14T00:13:00",
"db": "BID",
"id": "68078"
},
{
"date": "2014-06-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-002948"
},
{
"date": "2014-06-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201406-420"
},
{
"date": "2025-04-12T10:46:40.837000",
"db": "NVD",
"id": "CVE-2014-2949"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201406-420"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "F5 ARX Data Manager contains a SQL injection vulnerability",
"sources": [
{
"db": "CERT/CC",
"id": "VU#210884"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SQL injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201406-420"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…