CVE-2022-4093

SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period. This affect 16.0.1 and 16.0.2 only. 16.0.0 or lower, and 16.0.3 or higher are not affected

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/dolibarr/dolibarr/commit/7c1eac9774bd1fed0b7b4594159f2ac2d12a4011	Patch Third Party Advisory
https://huntr.dev/bounties/677ca8ee-ffbc-4b39-b294-2ce81bd56788	Exploit Issue Tracking Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:dolibarr:dolibarr_erp\/crm:16.0.1:::::::*
	cpe:2.3:a:dolibarr:dolibarr_erp\/crm:16.0.2:::::::*

History

23 Nov 2022, 14:15

Type	Values Removed	Values Added
References	~~(MISC) https://github.com/dolibarr/dolibarr/commit/7c1eac9774bd1fed0b7b4594159f2ac2d12a4011 -~~	(MISC) https://github.com/dolibarr/dolibarr/commit/7c1eac9774bd1fed0b7b4594159f2ac2d12a4011 - Patch, Third Party Advisory
References	~~(CONFIRM) https://huntr.dev/bounties/677ca8ee-ffbc-4b39-b294-2ce81bd56788 -~~	(CONFIRM) https://huntr.dev/bounties/677ca8ee-ffbc-4b39-b294-2ce81bd56788 - Exploit, Issue Tracking, Patch, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Dolibarr dolibarr Erp\/crm Dolibarr
CPE		cpe:2.3:a:dolibarr:dolibarr_erp\/crm:16.0.2:::::::* cpe:2.3:a:dolibarr:dolibarr_erp\/crm:16.0.1:::::::*
CWE		CWE-89

21 Nov 2022, 13:00

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-11-21 05:15

Updated : 2023-12-10 14:48

NVD link : CVE-2022-4093

Mitre link : CVE-2022-4093

CVE.ORG link : CVE-2022-4093

JSON object : View

Products Affected

dolibarr

dolibarr_erp\/crm

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2022-4093", "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-11-21T05:15:10.733", "references": [{"url": "https://github.com/dolibarr/dolibarr/commit/7c1eac9774bd1fed0b7b4594159f2ac2d12a4011", "tags": ["Patch", "Third Party Advisory"], "source": "security@huntr.dev"}, {"url": "https://huntr.dev/bounties/677ca8ee-ffbc-4b39-b294-2ce81bd56788", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Secondary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period. This affect 16.0.1 and 16.0.2 only. 16.0.0 or lower, and 16.0.3 or higher are not affected"}, {"lang": "es", "value": "Los ataques de inyecci\u00f3n SQL pueden dar lugar a un acceso no autorizado a datos sensibles, como contrase\u00f1as, datos de tarjetas de cr\u00e9dito o informaci\u00f3n personal del usuario. Muchas violaciones de datos de alto perfil en los \u00faltimos a\u00f1os han sido el resultado de ataques de inyecci\u00f3n SQL, lo que ha provocado da\u00f1os a la reputaci\u00f3n y multas de organismos reguladores. En algunos casos, un atacante puede obtener una puerta trasera persistente en los sistemas de una organizaci\u00f3n, lo que lleva a un compromiso a largo plazo que puede pasar desapercibido durante un per\u00edodo prolongado. Esto afecta \u00fanicamente a 16.0.1 y 16.0.2. 16.0.0 o inferior y 16.0.3 o superior no se ven afectados"}], "lastModified": "2022-11-23T14:15:25.360", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dolibarr:dolibarr_erp\\/crm:16.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0BD18B96-1716-497B-BC13-90EE2CBAD76D"}, {"criteria": "cpe:2.3:a:dolibarr:dolibarr_erp\\/crm:16.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FC87CEBC-DC5C-4C69-B453-FCA51EDDF47D"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}