CVE-2022-21225

Vulnerability

An improper neutralization of SQL commands vulnerability exists in Intel(R) Data Center Manager software before version 4.1. This SQL injection flaw resides in the management interface and is reachable by an authenticated user with adjacent network access. The affected versions include all releases prior to 4.1 [1][2].

Exploitation

An attacker must first obtain valid authentication credentials and be positioned on the same network segment as the vulnerable Intel Data Center Manager instance. With these prerequisites, the attacker can craft malicious SQL queries and inject them through unsanitized input fields in the management interface. The injection bypasses input validation, allowing the attacker to execute arbitrary SQL commands against the backend database [2].

Impact

Successful exploitation enables an authenticated attacker to escalate their privileges within the Intel Data Center Manager application. This can lead to full administrative control over the management software, potentially compromising the confidentiality, integrity, and availability of the managed data center infrastructure [1][2].

Mitigation

Intel released a fix in version 4.1 of the Data Center Manager software. Users should upgrade to 4.1 or later to remediate the vulnerability. No workarounds are documented in the available references. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].