CVE-2022-48598

A SQL injection vulnerability exists in the “reporter events type date” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.securifera.com/advisories/cve-2022-48598/	Third Party Advisory
https://www.securifera.com/advisories/cve-2022-48598/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sciencelogic:sl1:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:33

Type	Values Removed	Values Added
References	~~() https://www.securifera.com/advisories/cve-2022-48598/ - Third Party Advisory~~	() https://www.securifera.com/advisories/cve-2022-48598/ - Third Party Advisory
Summary		(es) Existe una vulnerabilidad de inyección SQL en la función "reporter events type date" en SL1 de ScienceLogic que toma la entrada no saneada controlada por el usuario y la pasa directamente a una consulta SQL. Esto permite la inyección de SQL arbitrario antes de ser ejecutado contra la base de datos.

Information

Published : 2023-08-09 19:15

Updated : 2024-11-21 07:33

NVD link : CVE-2022-48598

Mitre link : CVE-2022-48598

CVE.ORG link : CVE-2022-48598

JSON object : View

Products Affected

sciencelogic

sl1

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2022-48598", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "contact@securifera.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2023-08-09T19:15:13.770", "references": [{"url": "https://www.securifera.com/advisories/cve-2022-48598/", "tags": ["Third Party Advisory"], "source": "contact@securifera.com"}, {"url": "https://www.securifera.com/advisories/cve-2022-48598/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "contact@securifera.com", "description": [{"lang": "en", "value": "CWE-78"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability exists in the \u201creporter events type date\u201d feature of the ScienceLogic SL1 that takes unsanitized user\u2010controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database."}, {"lang": "es", "value": "Existe una vulnerabilidad de inyecci\u00f3n SQL en la funci\u00f3n \"reporter events type date\" en SL1 de ScienceLogic que toma la entrada no saneada controlada por el usuario y la pasa directamente a una consulta SQL. Esto permite la inyecci\u00f3n de SQL arbitrario antes de ser ejecutado contra la base de datos.\n"}], "lastModified": "2024-11-21T07:33:34.607", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sciencelogic:sl1:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4CBE823D-513F-4D03-9D6A-C8F02F379CD9", "versionEndIncluding": "11.1.2"}], "operator": "OR"}]}], "sourceIdentifier": "contact@securifera.com"}