CVE-2020-36947 — LibreNMS contains an authenticated SQL Injection vulnerability

Description

LibreNMS 1.46 contains an authenticated SQL Injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. Attackers can exploit the vulnerability by manipulating the 'sort' parameter with crafted SQL Injection techniques to retrieve sensitive database contents through time-based blind SQL Injection.

How to fix CVE-2020-36947

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2020-36947 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.46

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	HIGH7.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-36947
PATCHgithub.com/librenms/librenms
WEBcommunity.librenms.org
WEBwww.exploit-db.com/exploits/49246
WEBwww.vulncheck.com/advisories/librenms-mac-accounting-graph-authenticated-sql-injection