CVE-2022-48597

Vulnerability

A SQL injection vulnerability exists in the “ticket event report” feature of ScienceLogic SL1. The application takes unsanitized user-controlled input and passes it directly to a SQL query, allowing an attacker to inject arbitrary SQL. Affected versions include ScienceLogic SL1 <= 11.1.2 [1].

Exploitation

An attacker with access to the ticket event report feature can exploit this vulnerability by supplying crafted input that is not sanitized before being used in a SQL query. The exact steps are not detailed in the available references, but the injection occurs through user-controlled parameters in the feature's interface [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands against the database. This can lead to unauthorized reading, modification, or deletion of data, potentially resulting in full database compromise [1].

Mitigation

ScienceLogic recommends updating to the latest version of ScienceLogic SL1 [1]. No specific patched version number is provided in the reference, and no workarounds are disclosed. The vendor initially resisted disclosure but eventually allowed public disclosure on 2023-08-09 [1].