CVE-2022-48602

Vulnerability

A SQL injection vulnerability exists in the “message viewer print” feature of ScienceLogic SL1, which takes unsanitized user-controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database. The vulnerability affects ScienceLogic SL1 versions up to and including 11.1.2 [1].

Exploitation

An attacker with network access to the SL1 web interface and valid credentials can craft a malicious input to the message viewer print functionality. By providing specially formatted SQL commands in the unsanitized parameter, the attacker can inject arbitrary SQL statements that will be executed by the database backend. No additional user interaction is required beyond the initial authentication.

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries, potentially leading to unauthorized access to sensitive data, modification or deletion of database records, and further compromise of the application and underlying system [1]. The precise CIA impact depends on the attacker's injected SQL and database permissions, but full information disclosure and data integrity risks are present.

Mitigation

ScienceLogic recommends updating to the latest version of ScienceLogic SL1, as this vulnerability is fixed in a release after version 11.1.2 [1]. No workaround has been publicly disclosed. The vendor was notified in September 2022 and publicly disclosed in August 2023; there is no indication this CVE is on the CISA KEV list.