CVE-2022-48589

Vulnerability

An SQL injection vulnerability exists in the "reporting job editor" feature of ScienceLogic SL1 [1]. The component takes unsanitized user-controlled input and passes it directly to a SQL query, allowing the injection of arbitrary SQL before execution. All versions of ScienceLogic SL1 up to and including 11.1.2 are affected [1].

Exploitation

The attacker requires network access to the SL1 web interface and must be authenticated to reach the reporting job editor feature. The attacker can craft a malicious input in the affected parameter, which is then directly concatenated into a SQL query, bypassing the application's intended logic.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands against the database. This can lead to unauthorized reading, modification, or deletion of database records, privilege escalation, and potential full compromise of the underlying database server.

Mitigation

ScienceLogic has not released a patch; the vendor's legal team initially discouraged disclosure [1]. Users should update to the latest available version of ScienceLogic SL1 (if a patched version exists) or restrict network access to the affected feature and enforce strict input validation. If no fix is available, consider isolating the database server.