CVE-2022-48598

Vulnerability

A SQL injection vulnerability exists in the “reporter events type date” feature of ScienceLogic SL1 versions up to and including 11.1.2. The application takes unsanitized user-controlled input and passes it directly into a SQL query, enabling the injection of arbitrary SQL commands before execution against the database [1].

Exploitation

An attacker with network access to the SL1 web interface can supply crafted input to the “reporter events type date” parameter. No prior authentication is required if the feature is exposed, though the exact authentication requirements are not detailed in the available references. The input is not sanitized or parameterized, allowing the attacker to manipulate the query structure [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL statements against the database. This can lead to unauthorized reading, modification, or deletion of data, and potentially to further compromise of the underlying system depending on database permissions [1].

Mitigation

ScienceLogic has released an update to address this vulnerability; users should upgrade to the latest version of ScienceLogic SL1. No specific version number for the fix is provided in the references, but vendor notification and disclosure timeline suggest a patch was made available prior to public disclosure on 2023-08-09 [1].