CVE-2022-48590

Vulnerability

The admin dynamic app mib errors feature in ScienceLogic SL1 versions up to and including 11.1.2 contains a SQL injection vulnerability. User-controlled input is not sanitized before being passed directly to a SQL query, allowing an attacker to inject arbitrary SQL statements [1].

Exploitation

An attacker must have network access to the ScienceLogic SL1 administrative interface and valid credentials to access the vulnerable feature. By crafting malicious input in the affected parameter, the attacker can inject SQL commands that are executed against the database [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries, leading to potential data exfiltration, modification, or deletion. The attacker may gain unauthorized access to sensitive information stored in the database [1].

Mitigation

ScienceLogic recommends updating to the latest version of SL1. No specific patched version is mentioned in the advisory, but users should apply the most recent update available. The vendor was notified in September 2022 and the vulnerability was publicly disclosed in August 2023 [1].