What is the severity of CVE-2011-2703?

CVE-2011-2703 has a medium severity rating due to the potential exploitation through SQL injection and buffer overflow vulnerabilities.

How do I fix CVE-2011-2703?

To fix CVE-2011-2703, update MapServer to a version later than 4.10.6 or apply the necessary patches provided by the maintainers.

What are the main vulnerabilities associated with CVE-2011-2703?

CVE-2011-2703 includes multiple SQL injection flaws and a stack-based buffer overflow flaw.

Which versions of MapServer are affected by CVE-2011-2703?

CVE-2011-2703 affects MapServer versions up to 4.10.6, as well as specific beta versions prior to 5.0.0.

Is there a workaround for CVE-2011-2703 if I can't upgrade?

While upgrading is the best solution for CVE-2011-2703, implementing input validation and sanitization can serve as a temporary workaround.

Vulnerability/
CVE-2011-2703

high

7.5

CWE

89 119

19/7/2011

1/8/2011

6/8/2024

CVE-2011-2703: SQL Injection

First published: Tue Jul 19 2011(Updated: )

Multiple SQL injection flaws and one stack based buffer overflow flaw were found in MapServer: [1] <a href="http://lists.osgeo.org/pipermail/mapserver-users/2011-July/069430.html">http://lists.osgeo.org/pipermail/mapserver-users/2011-July/069430.html</a> More from [1]: MapServer developers have discovered flaws in the OGC filter support in MapServer. That code is used in support of WFS, WMS-SLD and SOS specifications. All versions may be susceptible to SQL injection under certain circumstances. The extent of the vulnerability depends on the MapServer version, relational database and mapfile configuration being used. All users are ** strongly encouraged ** to upgrade to these latest releases. The 5.6.7 and 4.10.7 releases also address one significant potentially exploitable buffer overflow (6.0 branch is not vulneralble). References: [1] <a href="http://lists.osgeo.org/pipermail/mapserver-users/2011-July/069430.html">http://lists.osgeo.org/pipermail/mapserver-users/2011-July/069430.html</a> [2] <a href="http://trac.osgeo.org/mapserver/ticket/3903">http://trac.osgeo.org/mapserver/ticket/3903</a> [3] <a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - MapServer SQL injection vulnerabilities" href="show_bug.cgi?id=722545">https://bugzilla.redhat.com/show_bug.cgi?id=722545</a> [4] <a href="http://www.openwall.com/lists/oss-security/2011/07/19/11">http://www.openwall.com/lists/oss-security/2011/07/19/11</a> (CVE Request) Relevant upstream patches: [5] <a href="http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_6.0.x.patch">http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_6.0.x.patch</a> (for 6.0.x branch) [6] <a href="http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.6.x.patch">http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.6.x.patch</a> (for 5.6.x branch) [7] <a href="http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.4.x.patch">http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.4.x.patch</a> (for 5.4.x branch) [8] <a href="http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.2.x.patch">http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.2.x.patch</a> (for 5.2.x branch) [9] <a href="http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.0.x.patch">http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_5.0.x.patch</a> (for 5.0.x branch) [10] <a href="http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_4.10.x.patch">http://trac.osgeo.org/mapserver/attachment/ticket/3903/ticket3903_4.10.x.patch</a> (for 4.10.x branch)

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
MapServer	<=4.10.6
MapServer	=4.2.0-beta1
MapServer	=4.4.0
MapServer	=4.4.0-beta1
MapServer	=4.4.0-beta2
MapServer	=4.4.0-beta3
MapServer	=4.6.0
MapServer	=4.6.0-beta1
MapServer	=4.6.0-beta2
MapServer	=4.6.0-beta3
MapServer	=4.6.0-rc1
MapServer	=4.8.0-beta1
MapServer	=4.8.0-beta2
MapServer	=4.8.0-beta3
MapServer	=4.8.0-rc1
MapServer	=4.8.0-rc2
MapServer	=4.10.0
MapServer	=4.10.0-beta1
MapServer	=4.10.0-beta2
MapServer	=4.10.0-beta3
MapServer	=4.10.0-rc1
MapServer	=4.10.1
MapServer	=4.10.2
MapServer	=4.10.3
MapServer	=4.10.4
MapServer	=4.10.5
MapServer	=5.0.0
MapServer	=5.0.0-beta1
MapServer	=5.0.0-beta2
MapServer	=5.0.0-beta3
MapServer	=5.0.0-beta4
MapServer	=5.0.0-beta5
MapServer	=5.0.0-beta6
MapServer	=5.0.0-rc1
MapServer	=5.0.0-rc2
MapServer	=5.2.0
MapServer	=5.2.0-beta1
MapServer	=5.2.0-beta2
MapServer	=5.2.0-beta3
MapServer	=5.2.0-beta4
MapServer	=5.2.0-rc1
MapServer	=5.2.1
MapServer	=5.4.0
MapServer	=5.4.0-beta1
MapServer	=5.4.0-beta2
MapServer	=5.4.0-beta3
MapServer	=5.4.0-beta4
MapServer	=5.4.0-rc1
MapServer	=5.4.0-rc2
MapServer	=5.4.1
MapServer	=5.4.2
MapServer	=5.6.0
MapServer	=5.6.1
MapServer	=5.6.3
MapServer	=5.2.2
MapServer	=5.2.3
MapServer	=5.6.4
MapServer	=5.6.5
MapServer	=5.6.6
MapServer	=6.0.0
MapServer	=6.0.0-beta1
MapServer	=6.0.0-beta2
MapServer	=6.0.0-beta3
MapServer	=6.0.0-beta4
MapServer	=6.0.0-beta5
MapServer	=6.0.0-beta6
MapServer	=6.0.0-beta7
MapServer	=6.0.0-rc1
MapServer	=6.0.0-rc2

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2011-2703?
CVE-2011-2703 has a medium severity rating due to the potential exploitation through SQL injection and buffer overflow vulnerabilities.
How do I fix CVE-2011-2703?
To fix CVE-2011-2703, update MapServer to a version later than 4.10.6 or apply the necessary patches provided by the maintainers.
What are the main vulnerabilities associated with CVE-2011-2703?
CVE-2011-2703 includes multiple SQL injection flaws and a stack-based buffer overflow flaw.
Which versions of MapServer are affected by CVE-2011-2703?
CVE-2011-2703 affects MapServer versions up to 4.10.6, as well as specific beta versions prior to 5.0.0.
Is there a workaround for CVE-2011-2703 if I can't upgrade?
While upgrading is the best solution for CVE-2011-2703, implementing input validation and sanitization can serve as a temporary workaround.

agent/type
agent/first-publish-date
collector/mitre-cve
source/MITRE
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2011-2703
agent/last-modified-date
agent/author
agent/remedy
agent/severity
agent/references
agent/description
agent/event
agent/trending
agent/source
agent/weakness
agent/tags
agent/softwarecombine
collector/nvd-index
agent/software-canonical-lookup-request
collector/nvd-historical
vendor/osgeo
canonical/mapserver
version/mapserver/4.10.6
version/mapserver/4.2.0-beta1
version/mapserver/4.4.0
version/mapserver/4.4.0-beta1
version/mapserver/4.4.0-beta2
version/mapserver/4.4.0-beta3
version/mapserver/4.6.0
version/mapserver/4.6.0-beta1
version/mapserver/4.6.0-beta2
version/mapserver/4.6.0-beta3
version/mapserver/4.6.0-rc1
version/mapserver/4.8.0-beta1
version/mapserver/4.8.0-beta2
version/mapserver/4.8.0-beta3
version/mapserver/4.8.0-rc1
version/mapserver/4.8.0-rc2
version/mapserver/4.10.0
version/mapserver/4.10.0-beta1
version/mapserver/4.10.0-beta2
version/mapserver/4.10.0-beta3
version/mapserver/4.10.0-rc1
version/mapserver/4.10.1
version/mapserver/4.10.2
version/mapserver/4.10.3
version/mapserver/4.10.4
version/mapserver/4.10.5
version/mapserver/5.0.0
version/mapserver/5.0.0-beta1
version/mapserver/5.0.0-beta2
version/mapserver/5.0.0-beta3
version/mapserver/5.0.0-beta4
version/mapserver/5.0.0-beta5
version/mapserver/5.0.0-beta6
version/mapserver/5.0.0-rc1
version/mapserver/5.0.0-rc2
version/mapserver/5.2.0
version/mapserver/5.2.0-beta1
version/mapserver/5.2.0-beta2
version/mapserver/5.2.0-beta3
version/mapserver/5.2.0-beta4
version/mapserver/5.2.0-rc1
version/mapserver/5.2.1
version/mapserver/5.4.0
version/mapserver/5.4.0-beta1
version/mapserver/5.4.0-beta2
version/mapserver/5.4.0-beta3
version/mapserver/5.4.0-beta4
version/mapserver/5.4.0-rc1
version/mapserver/5.4.0-rc2
version/mapserver/5.4.1
version/mapserver/5.4.2
version/mapserver/5.6.0
version/mapserver/5.6.1
version/mapserver/5.6.3
vendor/umn
version/mapserver/5.2.2
version/mapserver/5.2.3
version/mapserver/5.6.4
version/mapserver/5.6.5
version/mapserver/5.6.6
version/mapserver/6.0.0
version/mapserver/6.0.0-beta1
version/mapserver/6.0.0-beta2
version/mapserver/6.0.0-beta3
version/mapserver/6.0.0-beta4
version/mapserver/6.0.0-beta5
version/mapserver/6.0.0-beta6
version/mapserver/6.0.0-beta7
version/mapserver/6.0.0-rc1
version/mapserver/6.0.0-rc2

CVE-2011-2703: SQL Injection

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2011-2703?

How do I fix CVE-2011-2703?

What are the main vulnerabilities associated with CVE-2011-2703?

Which versions of MapServer are affected by CVE-2011-2703?

Is there a workaround for CVE-2011-2703 if I can't upgrade?

Company

Resources

Contact

Frequently Asked Questions

What is the severity of CVE-2011-2703?

How do I fix CVE-2011-2703?

What are the main vulnerabilities associated with CVE-2011-2703?

Which versions of MapServer are affected by CVE-2011-2703?

Is there a workaround for CVE-2011-2703 if I can't upgrade?