CVE-2022-2272
Published: 03 August 2022
Summary
CVE-2022-2272 is a critical-severity SQL Injection (CWE-89) vulnerability in Santesoft Sante Pacs Server. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
This vulnerability is an unauthenticated SQL injection flaw, tracked as CVE-2022-2272 and originally reported as ZDI-CAN-17331, that affects Sante PACS Server version 3.0.4. The issue resides in the login endpoint where the username value supplied by a client is concatenated into SQL queries without adequate validation or parameterization, allowing an attacker to alter query logic.
Remote attackers can exploit the flaw over the network without any credentials or user interaction. Successful exploitation grants full bypass of authentication controls, enabling the attacker to access the system with the privileges of an authenticated user and potentially achieve arbitrary data access or modification consistent with the CVSS 9.8 rating and CWE-89 classification.
The associated Zero Day Initiative advisory ZDI-22-955 documents the issue but does not detail specific patches or configuration workarounds in the supplied references. The EPSS score has remained flat at its peak value of 0.2466 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-34547
Vulnerability details
This vulnerability allows remote attackers to bypass authentication on affected installations of Sante PACS Server 3.0.4. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of calls to the login endpoint. When parsing the…
more
username element, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-17331.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.