CVE-2022-39069

Vulnerability

ZTE ZAIP-AIE versions up to and including V8.22.01 are affected by a SQL injection vulnerability [1]. The server fails to properly verify user-supplied input, enabling an attacker to craft malicious requests that execute arbitrary SQL queries [1]. This occurs in the ZAIP-AIE product, which is an intelligent analysis platform [1].

Exploitation

An attacker needs physical access to the affected system (attack vector: physical) and requires no authentication or user interaction [1]. The attacker sends specially crafted requests to the server’s SQL-handling interface, without any privileges or network-based remote access [1]. The low complexity of the attack means no special conditions or race windows are needed [1].

Impact

Successful exploitation leads to the leakage of the current table content from the database [1]. The CVSS v3.1 base score is 4.3 (Medium) with low impact on confidentiality, integrity, and availability [1]. The attacker can read data but is limited to the tables accessible via the injection point; privilege escalation or full database compromise is not described [1].

Mitigation

ZTE released the fixed version ZAIP-AIE V8.22.02 [1]. Affected users should upgrade to this version following the ZAIP-AIE upgrade manual [1]. No workarounds are mentioned; systems running V8.22.01 or earlier should be updated as soon as possible [1].