Title: HP Data Protector dpnepolicyservice Component LogCopyOperation Method copyStatus Field SQL Injection
Oct 19, 2011
Oct 18, 2011
HP Data Protector contains a flaw in the dpnepolicyservice component that may allow an attacker to carry out an SQL injection attack. The issue is due to the LogCopyOperation method not properly sanitizing user-supplied input to the 'copyStatus' field. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
Remote / Network Access
Loss of Integrity
Patch / RCS
Currently, there are no known workarounds or upgrades to correct this issue. However, HP has released a patch to address this vulnerability. Check the vendor advisory or solution in the references section.