CVE-2017-12567

Published: Aug 7, 2017Modified: May 13, 2026

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

SQL injection exists in Quest KACE Asset Management Appliance 6.4.120822 through 7.2, Systems Management Appliance 6.4.120822 through 7.2.101, and K1000 as a Service 7.0 through 7.2.

Affected (18)

Products: Quest: Kace Asset Management Appliance, Kace Systems Management Appliance, K1000 As A Service

Quest

3 products

Kace Asset Management Appliance

Kace Systems Management Appliance

K1000 As A Service

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Quest Kace Asset Management Appliance	Version 6.4.120822
Quest Kace Asset Management Appliance	Version 7.0.121306
Quest Kace Asset Management Appliance	Version 7.0
Quest Kace Asset Management Appliance	Version 7.1.149
Quest Kace Asset Management Appliance	Version 7.1
Quest Kace Asset Management Appliance	Version 7.2

Configuration B

7 vulnerable

Vulnerable Software	Affected Versions
Quest Kace Systems Management Appliance	Version 6.4.120822
Quest Kace Systems Management Appliance	Version 7.0.121306
Quest Kace Systems Management Appliance	Version 7.0
Quest Kace Systems Management Appliance	Version 7.1.149
Quest Kace Systems Management Appliance	Version 7.1
Quest Kace Systems Management Appliance	Version 7.2.101
Quest Kace Systems Management Appliance	Version 7.2

Configuration C

5 vulnerable

Vulnerable Software	Affected Versions
Quest K1000 As A Service	Version 7.0.121306
Quest K1000 As A Service	Version 7.0
Quest K1000 As A Service	Version 7.1.149
Quest K1000 As A Service	Version 7.1
Quest K1000 As A Service	Version 7.2

Related CWEs

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

References (2)

https://support.quest.com/kace-systems-management-appliance/kb/231874

Source: cve@mitre.org

Vendor Advisory

https://support.quest.com/kace-systems-management-appliance/kb/231874

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.