CVE-2022-48592

Vulnerability

The vendor print report feature of ScienceLogic SL1, a network monitoring platform, contains a SQL injection vulnerability in the vendor_country parameter. The application takes unsanitized user-controlled input and passes it directly into a SQL query [1]. All versions up to and including 11.1.2 are affected [1].

Exploitation

An attacker with network access to the ScienceLogic SL1 interface can craft a malicious request targeting the vendor_country parameter of the vendor print report endpoint. No authentication or special privileges are required. The unsanitized input is directly concatenated into a SQL query, allowing the attacker to inject arbitrary SQL [1].

Impact

Successful exploitation enables the attacker to execute arbitrary SQL commands against the database. This can result in complete disclosure of sensitive data stored in the database, including system credentials, configuration secrets, and monitoring data. The attacker may also be able to modify or delete data, potentially leading to total compromise of the application [1].

Mitigation

ScienceLogic has released a fix in the latest version of SL1. Users should update to a version newer than 11.1.2 [1]. No workaround is available in the disclosed information. The vulnerability was disclosed on 2023-08-09 [1].