CVE-2017-9246: New Relic .NET Agent contains SQL Injection
9.8
Basic Information
Technical Details
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
NewRelic.Agent | nuget | < 6.3.123.0 | 6.3.123.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from New Relic's handling of SQL queries in the Slow Queries feature, specifically the failure to escape quotes when reconstructing parameterized queries for execution plan analysis. However, the provided sources (CVE, GHSA, blog post) do not explicitly name specific functions or file paths in the NewRelic.Agent
codebase. The exploit involves the agent's internal mechanism for appending raw SQL with unescaped values after SET SHOWPLAN_ALL ON
, but without access to the original code, commit diffs, or patch details, we cannot identify exact function names or file locations with high confidence. The vulnerability is tied to the agent's query instrumentation logic for Slow Queries, likely in SQL command interception/rewriting components, but insufficient public code-level documentation prevents precise function identification.