CVE-2022-48591

Vulnerability

A SQL injection vulnerability exists in the vendor_state parameter of the “vendor print report” feature in ScienceLogic SL1 versions up to and including 11.1.2. The application takes unsanitized user-controlled input from this parameter and passes it directly to a SQL query without proper validation or escaping, as described in the advisory [1]. This allows injection of arbitrary SQL statements before execution against the database.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious HTTP request to the vulnerable endpoint, supplying a SQL payload in the vendor_state parameter. No authentication is required, and the attacker only needs network access to the SL1 web interface. The advisory does not detail a specific exploitation sequence, but the nature of the flaw suggests standard SQL injection techniques apply [1].

Impact

Successful exploitation permits the attacker to execute arbitrary SQL commands on the backend database. This could lead to disclosure of sensitive data, modification or deletion of database records, and potentially broader compromise of the SL1 system. The impact is considered high, as SQL injection can often escalate to remote code execution or full system takeover, depending on database permissions [1].

Mitigation

ScienceLogic SL1 version 11.1.2 is the last affected version. The vendor has not released a public patch at the time of disclosure, but users are advised to update to the latest version of ScienceLogic SL1 as recommended by the advisory [1]. No workaround is documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.