CVE-2015-1013: SQL Injection
First published: Tue May 26 2015(Updated: )
OSIsoft PI AF 2.6 and 2.7 and PI SQL for AF 2.1.2.19 do not ensure that the PI SQL (AF) Trusted Users group lacks the Everyone account, which allows remote authenticated users to bypass intended command restrictions via SQL statements.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Osisoft Pi Server | =2.6 | |
| Osisoft Pi Sql For Af | =2.1.2.19 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2015-1013?
CVE-2015-1013 is classified as a medium severity vulnerability.
How do I fix CVE-2015-1013?
To fix CVE-2015-1013, ensure that the PI SQL Trusted Users group does not include the Everyone account.
What are the affected versions in CVE-2015-1013?
CVE-2015-1013 affects OSIsoft PI AF versions 2.6 and 2.7, and PI SQL for AF version 2.1.2.19.
What type of users can exploit CVE-2015-1013?
Remote authenticated users can exploit CVE-2015-1013 by bypassing command restrictions through SQL statements.
Is there a workaround for CVE-2015-1013?
The primary workaround for CVE-2015-1013 is to review and adjust the membership of the PI SQL Trusted Users group.
- collector/nvd-index
- agent/type
- agent/references
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/author
- agent/tags
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- vendor/osisoft
- canonical/osisoft pi server
- version/osisoft pi server/2.6
- canonical/osisoft pi sql for af
- version/osisoft pi sql for af/2.1.2.19