Cyber Resilience

CVE-2024-46906

High

Published: 02 December 2024

Published
02 December 2024
Modified
06 December 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2699 96.5th percentile
Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46906 is a high-severity SQL Injection (CWE-89) vulnerability in Progress Whatsup Gold. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 3.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-46906 is a SQL injection vulnerability (CWE-89) affecting WhatsUp Gold network monitoring software in all versions released before 2024.0.1. The flaw resides in the application's handling of database queries and carries a CVSS 3.1 score of 8.8, reflecting high impact on confidentiality, integrity, and availability when successfully exploited over the network.

An authenticated attacker who possesses at least Report Viewer privileges can supply crafted input that manipulates SQL statements, resulting in privilege escalation to full administrative control of the WhatsUp Gold instance. Because the attack requires only low-privileged credentials and no user interaction, it can be launched from any network-accessible position with valid login details.

Vendor advisories from Progress Software direct customers to upgrade immediately to WhatsUp Gold 2024.0.1 or later, as documented in the September 2024 security bulletin and the corresponding release notes. The EPSS score has remained steady at 0.2699 with no material increase since disclosure.

EU & UK References

Vulnerability details

In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

progress
whatsup gold
≤ 24.0.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References