CVE-2019-15568

Vulnerability

IDseq, the Infectious Disease Sequencing Platform, includes a web application (idseq-web) that was vulnerable to SQL injection through the tax_levels parameter before the fix committed on 2019-07-01 [1]. The tax_levels parameter was not properly sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL commands. This affects all versions of idseq-web prior to the pull request #2372 merge [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the affected endpoint with malicious SQL embedded in the tax_levels parameter. The attacker does not require prior authentication but does need network access to the IDseq web application [1]. The injection occurs during processing of taxon search queries, where the unsanitized input is directly concatenated into SQL statements.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands against the database used by idseq-web. This can lead to unauthorized reading, modification, or deletion of sensitive data managed by the IDseq platform, including potentially patient health information, sequencing data, and user credentials. The impact is high, as it compromises data confidentiality and integrity [1].

Mitigation

The vulnerability was fixed in pull request #2372 committed on 2019-07-01 [1]. Users should upgrade to any version of idseq-web after that date. No workaround is documented for unpatched versions. The fix involves sanitizing the tax_levels input to prevent injection attacks [1].