Fluid Attacks Database

Description

Dolibarr ERP and CRM malicious executable loading Dolibarr ERP/CRM 9.0.1 provides a web-based functionality that backs up the database content to a dump file. However, the application performs insufficient checks on the export parameters to mysqldump, which can lead to execution of arbitrary binaries on the server. (Malicious binaries can be uploaded by abusing other functionalities of the application.)

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	dolibarr/dolibarr	>=0 <9.0.3	9.0.3

Aliases

1. CVE-2019-112002. NVD-2019-112003. OSV-2019-112004. GCVE-2019-11200

References

1. https://github.com/Dolibarr/dolibarr/issues/10984#issuecomment-4882974192. https://github.com/Dolibarr/dolibarr/commit/01075081cbcd9130a72115cdb50ee61fc394edc13. https://github.com/Dolibarr/dolibarr/commit/d6ae62478c8841fdfe58971494818b599f396d4f4. https://know.bishopfox.com/advisories/dolibarr-version-9-0-1-vulnerabilities

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.