CVE-2022-48593

Vulnerability

A SQL injection vulnerability exists in the “topology data service” feature of ScienceLogic SL1. The service takes unsanitized user-controlled input and passes it directly to a SQL query, allowing arbitrary SQL injection. This affects ScienceLogic SL1 versions up to and including 11.1.2 [1].

Exploitation

An attacker with network access to the SL1 instance can send crafted input to the topology data service endpoint. The input is not sanitized before being used in a SQL query, enabling the attacker to inject arbitrary SQL statements [1]. No authentication is explicitly required, though the service may be behind authentication in some deployments.

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries against the database. This can lead to unauthorized reading, modification, or deletion of data, and potentially to further compromise depending on database permissions and configuration [1].

Mitigation

ScienceLogic recommends updating to the latest version of SL1. The vulnerability is present in SL1 <= 11.1.2, so upgrading to a version beyond 11.1.2 is necessary to remediate the issue [1]. No workarounds are documented in the available reference.