CVE-2022-4093 - Vulnerability Details

Vendors	Products
Dolibarr	Dolibarr Erp\/crm

Link	Providers
https://github.com/dolibarr/dolibarr/commit/7c1eac9774bd1fed0b7b4594159f2ac2d12a4011
https://huntr.dev/bounties/677ca8ee-ffbc-4b39-b294-2ce81bd56788

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-4093", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "dateUpdated": "2024-08-03T01:27:54.527Z", "dateReserved": "2022-11-21T00:00:00", "datePublished": "2022-11-21T00:00:00"}, "containers": {"cna": {"title": " SQL Injection in dolibarr/dolibarr", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev", "dateUpdated": "2022-11-21T00:00:00"}, "descriptions": [{"lang": "en", "value": "SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period. This affect 16.0.1 and 16.0.2 only. 16.0.0 or lower, and 16.0.3 or higher are not affected"}], "affected": [{"vendor": "dolibarr", "product": "dolibarr/dolibarr", "versions": [{"version": "unspecified", "lessThan": "16.0.3", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.dev/bounties/677ca8ee-ffbc-4b39-b294-2ce81bd56788"}, {"url": "https://github.com/dolibarr/dolibarr/commit/7c1eac9774bd1fed0b7b4594159f2ac2d12a4011"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command", "cweId": "CWE-89"}]}], "source": {"advisory": "677ca8ee-ffbc-4b39-b294-2ce81bd56788", "discovery": "EXTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:27:54.527Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.dev/bounties/677ca8ee-ffbc-4b39-b294-2ce81bd56788", "tags": ["x_transferred"]}, {"url": "https://github.com/dolibarr/dolibarr/commit/7c1eac9774bd1fed0b7b4594159f2ac2d12a4011", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dolibarr:dolibarr_erp\\/crm:16.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "0BD18B96-1716-497B-BC13-90EE2CBAD76D", "vulnerable": true}, {"criteria": "cpe:2.3:a:dolibarr:dolibarr_erp\\/crm:16.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "FC87CEBC-DC5C-4C69-B453-FCA51EDDF47D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period. This affect 16.0.1 and 16.0.2 only. 16.0.0 or lower, and 16.0.3 or higher are not affected"}, {"lang": "es", "value": "Los ataques de inyecci\u00f3n SQL pueden dar lugar a un acceso no autorizado a datos sensibles, como contrase\u00f1as, datos de tarjetas de cr\u00e9dito o informaci\u00f3n personal del usuario. Muchas violaciones de datos de alto perfil en los \u00faltimos a\u00f1os han sido el resultado de ataques de inyecci\u00f3n SQL, lo que ha provocado da\u00f1os a la reputaci\u00f3n y multas de organismos reguladores. En algunos casos, un atacante puede obtener una puerta trasera persistente en los sistemas de una organizaci\u00f3n, lo que lleva a un compromiso a largo plazo que puede pasar desapercibido durante un per\u00edodo prolongado. Esto afecta \u00fanicamente a 16.0.1 y 16.0.2. 16.0.0 o inferior y 16.0.3 o superior no se ven afectados"}], "id": "CVE-2022-4093", "lastModified": "2024-11-21T07:34:34.257", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-21T05:15:10.733", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dolibarr/dolibarr/commit/7c1eac9774bd1fed0b7b4594159f2ac2d12a4011"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/677ca8ee-ffbc-4b39-b294-2ce81bd56788"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/dolibarr/dolibarr/commit/7c1eac9774bd1fed0b7b4594159f2ac2d12a4011"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/677ca8ee-ffbc-4b39-b294-2ce81bd56788"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@huntr.dev", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object