CVE-2021-47782

Vulnerability

Overview CVE-2021-47782 is a SQL injection vulnerability in Odine Solutions GateKeeper 1.0, affecting the trafficCycle API endpoint at /rass/api/v1/trafficCycle/. The vulnerability arises from improper neutralization of special elements used in SQL commands (CWE-89), allowing an attacker to inject malicious PostgreSQL queries. The vulnerability was disclosed in October 2021 and has a CVSS v4 score of 8.2, indicating high severity [3].

Exploitation

An attacker can exploit this vulnerability by sending crafted payloads to the trafficCycle endpoint. The exploit requires authentication, as the endpoint is protected by a Bearer token, but once authenticated, the attacker can manipulate SQL queries via the trafficCycle parameter. The public exploit demonstrates error-based, stacked queries, and time-based blind injection techniques using PostgreSQL-specific functions like PG_SLEEP() and CAST() [2]. The web application runs on Nginx and uses a PostgreSQL backend.

Impact

Successful exploitation allows an attacker to extract sensitive information from the database, potentially compromising user data or system credentials. The vulnerability also enables manipulation of database content, leading to data integrity issues. According to the CVSS vector, the impact on confidentiality is high, while integrity impact is low [3].

Mitigation

The vendor acknowledged the issue and released a fix, as indicated in the exploit disclosure. Users should update to a patched version of GateKeeper. No workarounds are mentioned. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.