Bricco Authenticator Plugin DBAuthenticator.java compare sql injection
Description
A vulnerability was found in Bricco Authenticator Plugin. It has been declared as critical. This vulnerability affects the function authenticate/compare of the file src/java/talentum/escenic/plugins/authenticator/authenticators/DBAuthenticator.java. The manipulation leads to sql injection. Upgrading to version 1.39 is able to address this issue. The name of the patch is a5456633ff75e8f13705974c7ed1ce77f3f142d5. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218428.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A critical SQL injection in Bricco Authenticator Plugin's DBAuthenticator allows unauthenticated attackers to execute arbitrary SQL. Fixed in version 1.39.
Vulnerability
The SQL injection vulnerability resides in the authenticate/compare function of src/java/talentum/escenic/plugins/authenticator/authenticators/DBAuthenticator.java in the Bricco Authenticator Plugin. Versions prior to 1.39 are affected. The manipulation occurs when user-supplied values for username and password are concatenated directly into SQL queries, as seen in the code before the fix [1].
Exploitation
An attacker can exploit this vulnerability by sending crafted HTTP requests to the authentication endpoint, injecting malicious SQL into the username or password parameters. No authentication is required. The injection allows the attacker to modify the intended SQL query structure [1].
Impact
Successful exploitation enables an unauthenticated attacker to execute arbitrary SQL statements against the underlying database. This can lead to unauthorized data access, data exfiltration, and potentially full compromise of the application's data store [1].
Mitigation
The vulnerability is fixed in version 1.39, released on an unspecified date [2]. The fix involves replacing string concatenation with prepared statements, as shown in commit a5456633ff75e8f13705974c7ed1ce77f3f142d5 [1]. Users should upgrade to version 1.39 or later.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<1.39+ 1 more
- (no CPE)range: <1.39
- (no CPE)range: n/a
Patches
1a5456633ff75Prevent SQL-injection
1 file changed · +11 −16
src/java/talentum/escenic/plugins/authenticator/authenticators/DBAuthenticator.java+11 −16 modified@@ -1,11 +1,9 @@ package talentum.escenic.plugins.authenticator.authenticators; -import java.sql.Connection; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.ResultSetMetaData; import java.sql.SQLException; -import java.sql.Statement; import java.util.ArrayList; import java.util.Comparator; import java.util.HashMap; @@ -67,20 +65,16 @@ public AuthenticatedUser authenticate(String username, String password, } try { + ContentManager contentManager = ContentManager.getContentManager(); List result = new ArrayList(); String sql = "SELECT * FROM " + table + " WHERE " + columns.get("username") + "= ? AND " - + columns.get("password") + "= '?'"; - - String[] preparedVariables = new String[] {username, password}; - - - + + columns.get("password") + "= ?"; if(log.isDebugEnabled()) { log.debug(sql); } - contentManager.doQuery(new Query(sql, preparedVariables, result)); + contentManager.doQuery(new Query(sql, new String[] { username, password }, result)); if(log.isDebugEnabled()) { log.debug("found " + result.size() + " records"); @@ -140,20 +134,21 @@ public int compare(Object o1, Object o2) { private static class Query implements TransactionOperation { private String query; + private String[] args; private List list; - private String[] variables; - public Query(String query, String[] variables, List list) { + public Query(String query, String[] args, List list) { this.query = query; - this.variables = variables; + this.args = args; this.list = list; } public void execute(Transaction t) throws SQLException { - //Statement st = t.getConnection().createStatement(); - Statement st = t.getConnection().prepareStatement(query, variables); + PreparedStatement prepStmt = t.getConnection().prepareStatement(query); + prepStmt.setString(1, args[0]); + prepStmt.setString(2, args[1]); try { - ResultSet rs = st.executeQuery(query); + ResultSet rs = prepStmt.executeQuery(); ResultSetMetaData metaData = rs.getMetaData(); while (rs.next()) { Map map = new HashMap(); @@ -163,7 +158,7 @@ public void execute(Transaction t) throws SQLException { list.add(map); } } finally { - st.close(); + prepStmt.close(); } } }
Vulnerability mechanics
Root cause
"The password placeholder was wrapped in single quotes (`'?'`) and the PreparedStatement's parameter values were never bound via setString, causing user input to be concatenated directly into the SQL query."
Attack vector
An attacker can supply a malicious `username` or `password` value containing SQL metacharacters (e.g., a single quote or comment syntax) to the `authenticate` function. Because the old code placed the password placeholder inside single quotes (`'?'`) and never called `setString` on the `PreparedStatement`, the input was concatenated into the SQL string before execution, allowing the attacker to alter the query's logic. This enables classic SQL injection — the attacker could bypass authentication or extract arbitrary data from the database [CWE-89].
Affected code
The vulnerability resides in `src/java/talentum/escenic/plugins/authenticator/authenticators/DBAuthenticator.java`, specifically in the `authenticate` method and the inner `Query` class. The old code constructed a SQL query with the password placeholder wrapped in single quotes (`'?'`) and passed user-supplied `username` and `password` as plain string variables to a `PreparedStatement` that was never actually parameterized — the `executeQuery` method was called with the raw query string instead of using the prepared statement's parameter setters [patch_id=2243866].
What the fix does
The patch corrects two flaws. First, the password placeholder is changed from `'?'` (a literal question mark inside quotes) to `?` (a true parameter placeholder), so the driver treats it as a bind variable. Second, the `Query.execute` method now creates a `PreparedStatement`, calls `prepStmt.setString(1, args[0])` and `prepStmt.setString(2, args[1])` to safely bind the username and password, and executes via `prepStmt.executeQuery()` instead of passing the raw query string to `executeQuery`. These changes ensure user input is never concatenated into the SQL string, eliminating the injection vector [patch_id=2243866].
Preconditions
- inputThe attacker must be able to supply arbitrary username and password values to the DBAuthenticator.authenticate() method, typically via a login form or API endpoint.
- configThe application must be configured to use the vulnerable DBAuthenticator plugin (version prior to 1.39).
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/Bricco/authenticator-plugin/commit/a5456633ff75e8f13705974c7ed1ce77f3f142d5mitrepatch
- github.com/Bricco/authenticator-plugin/releases/tag/1.39mitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.