29 Mar Security Advisory – SOS-18-002 – CA Workload Automation AE SQL Injection
Release Date: 29-Mar-2018
Last Update: –
Vendor Notification Date: 17-Oct-2017
Product: CA Workload Automation AE
Platform: Microsoft Windows
Affected versions: CA Workload Automation AE r11.3.5, r11.3.6 SP6 and earlier
Severity Rating: Medium
Impact: Exposure of sensitive information and exposure of system information
Attack Vector: Remote with authentication
Solution Status: CA Workload Automation AE Release 11.3.6 SP7
CVE reference: CVE-2018-8953
Details
CA Workload Automation AE (AutoSys Edition) is a workload automation tool supplied by CA Technologies. CA Workload Automation AE suffers from SQL injection vulnerabilities as it fails to validate data supplied before being used in a SQL query.
Please refer to the PDF version of this advisory for proof of concept code examples.
Solution
Apply patch from CA Workload Automation AE Release 11.3.6 SP7 released on 2 March 2018.
Additional information is available here.
Discovered By
Hamed Merati from Sense of Security Labs.
Sorry, the comment form is closed at this time.