SQL Injection in camptocamp/terraboard

Vulnerability

CVE-2022-1883 is a SQL injection vulnerability in the Terraboard application, affecting versions prior to 2.2.0. The vulnerability exists in the /search endpoint, where the SearchAttribute function in the database handler directly concatenates user-supplied query parameters (tf_version, lineage_value) into SQL LIKE clauses without proper sanitization or parameterization [1][2]. This allows an attacker to inject arbitrary SQL commands through the affected parameters.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the /search endpoint with malicious input in the tf_version or lineage_value query parameters. No authentication is required, as the endpoint is publicly accessible. The attacker does not need any special privileges or user interaction; the vulnerability can be triggered by simply issuing a GET request with the injected payload [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL statements on the backend database. This can lead to unauthorized access to sensitive data stored in the database, including Terraform state information, credentials, and other secrets. The impact includes potential information disclosure and compromise of the infrastructure managed by Terraboard [2].

Mitigation

The vulnerability is fixed in Terraboard version 2.2.0. The fix, implemented in commit 2a5dbaac015dc0714b41a59995e24f5767f89ddc, replaces string interpolation with parameterized queries using ? placeholders and appends parameters separately, preventing SQL injection [1][2]. Users should upgrade to version 2.2.0 or later immediately. No workarounds have been provided for earlier versions, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.