CVE-2022-48599

Vulnerability

A SQL injection vulnerability exists in the “reporter events type” feature of ScienceLogic SL1 versions up to and including 11.1.2 [1]. The feature takes unsanitized user-controlled input and passes it directly to a SQL query, enabling injection of arbitrary SQL before the query is executed against the database [1].

Exploitation

An attacker must have network access to the ScienceLogic SL1 instance and be able to supply crafted input to the “reporter events type” parameter [1]. No prior authentication or special privileges are mentioned in the available references; the input is processed without sanitization, allowing direct injection of SQL statements.

Impact

Successful exploitation permits arbitrary SQL execution against the underlying database [1]. This could lead to unauthorized data access, modification, or deletion, potentially compromising the confidentiality, integrity, and availability of the application's data.

Mitigation

ScienceLogic SL1 versions 11.1.2 and earlier are affected. The vendor was notified in September 2022, and a public disclosure was made on August 9, 2023 [1]. The reference advises updating to the latest version of ScienceLogic SL1 [1]; however, no specific fixed version number is provided. Users should contact ScienceLogic support for patching guidance.