Security vulnerability in SQL Monitor (CVE-2020-9318)

19th February 2020

Summary

SQL Monitor versions 9.0.13 to 9.2.14 (inclusive) have a security vulnerability where a user who is an administrator of the SQL Monitor installation is able to perform a SQL injection attack.

This attack allows SQL statements to be executed as SQL Monitor’s data repository user.

What's the risk?

A logged in administrator can enter malicious content into the SNMP alert settings, which may be executed against the SQL database used by SQL Monitor to store its data. Specially crafted content could manipulate or delete the data stored in this database.

Other servers and databases monitored by SQL Monitor are not affected by this vulnerability. Standard and read-only users of SQL Monitor are not able to perform this attack, nor are unauthenticated users.

This vulnerability carries a CVSS 3.1 score of 6.8 (medium).

How can I resolve this vulnerability

SQL Monitor 9.2.15 fixes this vulnerability. This is a free upgrade for all licensed users of SQL Monitor 9. Versions of SQL Monitor before 9.0.13 were not affected.

We recommend you only grant administrator access to those users who need to modify the configuration of SQL Monitor. You can get more information about permissions in SQL Monitor in the product documentation.

How does Redgate ensure its products are secure?

All our product teams receive training in secure development practices, and we peer review all code changes. We use extensive suites of automated checks.

Unfortunately, vulnerabilities do occasionally occur. We aim to fix and announce them promptly when we discover them, and provide information on our website when this happens. You can find out more in our product security policy.