CVE-2022-42744

Vulnerability

CandidATS version 3.0.0 contains a SQL injection vulnerability in the entriesPerPage parameter passed to the ajax.php endpoint via the getPipelineJobOrder function. The application does not properly validate or sanitize this parameter, enabling an external attacker to inject arbitrary SQL queries. The vulnerable endpoint is reachable without authentication, as demonstrated in the public advisory [2]. The affected version is 3.0.0 only [1][2].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to ajax.php containing a malicious SQL payload in the entriesPerPage parameter. The advisory [2] demonstrates the use of a time-based blind SQLi payload such as 15 AND sleep(5)-- to confirm the injection. Subsequently, an attacker can use automated tools like sqlmap, targeting the entriesPerPage parameter, to exfiltrate database contents. The attacker must be able to reach the vulnerable web server endpoint.

Impact

Successful exploitation allows the attacker to perform arbitrary CRUD operations (Create, Read, Update, Delete) on the application's database [2]. This can lead to the disclosure of sensitive information, such as user emails and passwords, as shown in the advisory where the attacker dumped the user table's email and password columns [2]. The attacker gains full read and write access to the database, compromising all stored data and potentially the entire application.

Mitigation

As of the publication date (2022-11-03), there is no patch available for this vulnerability [2]. Users are advised to limit network access to the CandidATS instance, monitor for suspicious activity, and await a vendor-supplied fix. The project's status regarding continued maintenance is not specified in the references.