CVE-2020-16104

Severity: High (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L)
Components affected: Gallagher Command Centre Server
Version of Command Centre affected: Versions of v8.30 prior to v8.30.1236(MR1), v8.20 prior to v8.20.1166(MR3), v8.10 prior to v8.10.1211(MR5), v8.00 prior to v8.00.1228(MR6), v7.90 and earlier.
Reported by: Gallagher
Active exploitation of vulnerability*: No
Description of vulnerability:  SQL Injection vulnerability in Enterprise Data Interface of Gallagher Command Centre allows a remote attacker with 'Edit Enterprise Data Interfaces' privilege to execute arbitrary SQL against a third party database if EDI is configured to import data from this database. This issue affects: Gallagher Command Centre 8.30 versions prior to v8.30.1236(MR1); 8.20 versions prior to v8.20.1166(MR3); 8.10 versions prior to v8.10.1211(MR5); 8.00 versions prior to v8.00.1228(MR6); version 7.90 and prior versions.
Mitigation: Sites not using EDI are not impacted. Do not configure EDI to import data from a database.

Maintenance releases are now available for:

  • v8.30 - v8.30.1299(MR2)
  • v8.20 - v8.20.1218(MR4)
  • v8.10 - v8.10.1253(MR6)
  • v8.00 - v8.00.1252(MR7)

Important notes:

  • These maintenance upgrades require the Command Centre server to be upgraded.

 

*This indicates whether Gallagher are aware of this being actively exploited against customer sites.

Stay up to date with Gallagher

Get the latest Gallagher news, updates, and event information delivered straight to your inbox.