Severity: High (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L)
Components affected: Gallagher Command Centre Server
Version of Command Centre affected: Versions of v8.30 prior to v8.30.1236(MR1), v8.20 prior to v8.20.1166(MR3), v8.10 prior to v8.10.1211(MR5), v8.00 prior to v8.00.1228(MR6), v7.90 and earlier.
Reported by: Gallagher
Active exploitation of vulnerability*: No
Description of vulnerability: SQL Injection vulnerability in Enterprise Data Interface of Gallagher Command Centre allows a remote attacker with 'Edit Enterprise Data Interfaces' privilege to execute arbitrary SQL against a third party database if EDI is configured to import data from this database. This issue affects: Gallagher Command Centre 8.30 versions prior to v8.30.1236(MR1); 8.20 versions prior to v8.20.1166(MR3); 8.10 versions prior to v8.10.1211(MR5); 8.00 versions prior to v8.00.1228(MR6); version 7.90 and prior versions.
Mitigation: Sites not using EDI are not impacted. Do not configure EDI to import data from a database.
Maintenance releases are now available for:
- v8.30 - v8.30.1299(MR2)
- v8.20 - v8.20.1218(MR4)
- v8.10 - v8.10.1253(MR6)
- v8.00 - v8.00.1252(MR7)
- These maintenance upgrades require the Command Centre server to be upgraded.
*This indicates whether Gallagher are aware of this being actively exploited against customer sites.