CVE-2022-48588

Vulnerability

A SQL injection vulnerability exists in the “schedule editor decoupled” feature of ScienceLogic SL1 versions 11.1.2 and earlier. The feature takes unsanitized user-controlled input and passes it directly to a SQL query, allowing the injection of arbitrary SQL statements before execution against the database [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted input to the “schedule editor decoupled” feature. No authentication or special network position is required; the feature is accessible over the network. The attacker simply supplies malicious SQL payloads in the unsanitized parameter, which are then executed by the database [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands against the ScienceLogic SL1 database. This can lead to information disclosure, data modification, or complete compromise of the database [1]. The attacker may be able to read sensitive information, modify or delete records, or potentially gain further access to the underlying system.

Mitigation

ScienceLogic recommends updating to the latest version of SL1. There is no fixed version number explicitly provided in the references, but the vendor has been notified and disclosure occurred on August 9, 2023 [1]. If upgrading is not immediately possible, ensure the “schedule editor decoupled” feature is not exposed to untrusted users or networks.