CVE-2025-45346
Description
SQL Injection vulnerability in Bacula-web before v.9.7.1 allows a remote attacker to execute arbitrary code via a crafted HTTP GET request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Bacula-web before 9.7.1 allows remote attackers to execute arbitrary code via a crafted HTTP GET request.
Vulnerability
Analysis
CVE-2025-45346 is a SQL injection vulnerability in Bacula-web, an open-source reporting and monitoring tool for Bacula backup infrastructure [2]. The vulnerability exists in versions prior to 9.7.1 and allows a remote attacker to execute arbitrary code by sending a specially crafted HTTP GET request [1]. The root cause is the direct concatenation of user-supplied input into SQL queries without proper sanitization or parameterization, as shown in the commit ad5d94809f17994a61496ecfec9cd3a16ac14a5f [4].
The vulnerable code is found in the job files report functionality, where the $filename parameter was directly embedded into LIKE and equality clauses [4]. The fix replaces the unsafe string interpolation with parameterized queries using addParameter() and named placeholders (:filename), preventing SQL injection by separating query logic from user data [4]. The attack requires no special privileges beyond network access to the web interface, making it remotely exploitable.
Successful exploitation could allow an attacker to inject arbitrary SQL commands into the application's database queries. This could lead to reading, modifying, or deleting sensitive data in the Bacula catalog database, or potentially executing operating system commands if the database user has sufficient privileges. Bacula-web uses read-only access by design, but the impact may extend beyond data disclosure depending on database configuration [2].
The vulnerability is fixed in version 9.7.1, released on July 29, 2025, as indicated in the release notes [3]. Users are strongly advised to upgrade to this version or later to mitigate the risk. No workarounds have been publicly documented, and the fix addresses the SQL injection by adopting parameterized queries in the affected code paths [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bacula-web/bacula-webPackagist | < 9.7.1 | 9.7.1 |
Affected products
2- Bacula-web/Bacula-webdescription
- Range: < 9.7.1
Patches
1ad5d94809f17fix: potential sql injection in job files report
1 file changed · +4 −2
application/Table/JobFileTable.php+4 −2 modified@@ -61,7 +61,8 @@ public function getJobFiles($jobId, $limit, $offset, string $filename = '') $fields = array('Job.Name', 'Job.JobStatus', 'File.FileIndex', 'Path.Path', 'Filename.Name AS Filename'); $where = array("File.JobId = $jobId"); if (! empty($filename)) { - $where[] = "(Filename.Name LIKE '%$filename%' OR Path.Path LIKE '%$filename%' OR concat(Path.Path, '', Filename.Name) = '$filename')"; + $this->addParameter('filename', '%'.$filename.'%'); + $where[] = "(Filename.Name LIKE :filename OR Path.Path LIKE :filename OR concat(Path.Path, '', Filename.Name) = :filename)"; } $orderby = 'File.FileIndex ASC'; @@ -84,7 +85,8 @@ public function getJobFiles($jobId, $limit, $offset, string $filename = '') $where = ["File.JobId = $jobId"]; if (!empty($filename)) { - $where[] = "(File.Filename LIKE '%$filename%' OR Path.Path LIKE '%$filename%' OR concat(Path.Path, '', File.Filename) = '$filename')"; + $this->addParameter('filename', '%'.$filename.'%'); + $where[] = "(File.Filename LIKE :filename OR Path.Path LIKE :filename OR concat(Path.Path, '', File.Filename) = :filename)"; } $orderby = 'File.FileIndex ASC';
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.