CVE-2018-9029

Vulnerability

CA Privileged Access Manager 2.x contains an improper input validation vulnerability that allows remote attackers to conduct SQL injection attacks [1]. The vulnerability exists due to insufficient sanitization of user-supplied input before using it in SQL queries. Affected versions include all 2.x releases prior to the fix.

Exploitation

An attacker can exploit this vulnerability remotely by sending specially crafted HTTP requests to the affected application. No authentication is required, as the vulnerable input is processed before authentication checks. The attacker can inject malicious SQL commands through input fields that are not properly validated.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands on the backend database. This can lead to unauthorized access to sensitive data, modification or deletion of database contents, and potentially further compromise of the system.

Mitigation

CA Technologies released a security update to address this vulnerability. Users should upgrade to the latest version of CA Privileged Access Manager as specified in the advisory [1]. If upgrading is not immediately possible, apply input validation and parameterized queries as a workaround.