CVE-2024-22923

Vulnerability

An SQL injection vulnerability exists in AdvRadius version 2.2.5. The vulnerability is present in a script that does not properly sanitize user-supplied input, allowing a local attacker to inject arbitrary SQL commands. The affected code path is reachable when the attacker has the ability to send crafted input to the vulnerable script, as described in the advisory [1].

Exploitation

An attacker with local access to the system can exploit this vulnerability by crafting a malicious script containing SQL injection payloads. The attacker does not require high privileges; they only need to be able to execute or submit the crafted script to the vulnerable AdvRadius component. The exact steps involve constructing a SQL injection payload and sending it to the affected endpoint, which then executes the attacker's database commands [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code via SQL injection, which can lead to unauthorized data access, modification, or deletion. Since the description states 'arbitrary code,' this may also lead to escalation beyond the database layer, potentially compromising the entire system. The impact includes confidentiality, integrity, and availability breaches, depending on the attacker's injected payload [1].

Mitigation

No official fix has been released for AdvRadius version 2.2.5 as of the publication date February 13, 2024. Users should monitor the vendor for a patched version or consider restricting local access to the vulnerable component. If no update is provided, decommissioning or replacing the software is recommended, especially if it handles sensitive data [1].