• EnglishEspaΓ±olζ—₯本θͺžν•œκ΅­μ–΄PortuguΓͺs
  • Log inStart now

Security Bulletin NR19-05

Summary

A security update for the .NET agent corrects an issue where metric names are not properly identified for SQL queries with parameters that have been manually constructed.

Release date: August 26, 2019

Vulnerability identifier: NR19-05

Priority: Medium

Affected software

The following New Relic agent versions are affected:

Name

Affected version

Notes

Remediated version

.NET agent

< 8.18.241.0

8.18.241.0

.NET agent

< 6.24.0.0

6.24.0.0

Vulnerability information

When manually constructing SQL queries that execute stored procedures with parameters, a missing space before the first value may cause the agent to incorrectly identify the metric name. This may result in sensitive data being included in metric names.

Mitigating factors

This vulnerability only affects applications that manually assemble SQL queries with parameters, without using parameterized queries. It’s recommended that applications use parameterized queries to help avoid introducing SQL injection vulnerabilities.

Workarounds

Report security vulnerabilities to New Relic

New Relic is committed to the security of our customers and their data. If you believe you have found a security vulnerability in one of our products or websites, we welcome and greatly appreciate you reporting it to New Relic's coordinated disclosure program. For more information, see Reporting security vulnerabilities.

Copyright Β© 2024 New Relic Inc.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.