CVE-2024-10864

Vulnerability

Overview

CVE-2024-10864 is an SQL injection vulnerability in OpenText Advanced Authentication, stemming from improper neutralization of special elements used in an SQL command. This flaw affects all versions prior to 6.5, as confirmed by the vendor's release notes [1]. The root cause lies in insufficient input validation within the authentication process, allowing an attacker to inject malicious SQL statements.

Exploitation

An attacker can exploit this vulnerability by sending crafted input to the affected application, likely through web requests or API calls that interact with the database. No authentication is required if the vulnerable endpoint is exposed, though the exact attack vector is not detailed in the available sources. The attacker must be able to reach the Advanced Authentication service over the network.

Impact

Successful exploitation could allow an attacker to read, modify, or delete sensitive data stored in the database, including user credentials and authentication policies. This could lead to complete compromise of the authentication system, enabling unauthorized access to protected resources.

Mitigation

OpenText has addressed this vulnerability in Advanced Authentication version 6.5 (25.1). Users are strongly advised to upgrade to this version or later to remediate the issue [1]. No workarounds are documented in the provided reference.