New Relic .NET Agent contains SQL Injection

GHSA-2rvx-cvfc-mcp2 · CVE-2017-9246

Published May 17, 2022 · Modified Nov 8, 2023

Description

New Relic .NET Agent before 6.3.123.0 adds SQL injection flaws to safe applications via vectors involving failure to escape quotes during use of the Slow Queries feature, as demonstrated by a mishandled quote in a VALUES clause of an INSERT statement, after bypassing a SET SHOWPLAN_ALL ON protection mechanism.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-9246
PACKAGE https://github.com/newrelic/newrelic-dotnet-agent
WEB https://web.archive.org/web/20221202191459/https://blog.seanmcelroy.com/2017/05/26/sql-injection-with-new-relic-patched

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes