Cyber Resilience

CVE-2022-24124

HighPublic PoC

Published: 29 January 2022

Published
29 January 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.5999 98.3th percentile
Risk Priority 51 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24124 is a high-severity SQL Injection (CWE-89) vulnerability in Casbin Casdoor. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Casdoor versions prior to 1.13.1 contain a SQL injection vulnerability in the query API, specifically involving unsanitized field and value parameters passed to endpoints such as api/get-organizations. The flaw is tracked as CWE-89 and carries a CVSS 3.1 base score of 7.5, reflecting network-accessible exploitation with no required credentials or user interaction that can disclose arbitrary database contents.

An unauthenticated remote attacker can supply crafted field and value inputs to the affected API to execute arbitrary SQL queries, enabling extraction of sensitive data stored by the Casdoor identity-management application. Because the vulnerable endpoints are reachable over HTTP or HTTPS without authentication, the attack can be launched from any network position that can reach the Casdoor instance.

Public references point to a fix released in version 1.13.1; the corresponding GitHub pull request and commit diff show remediation of the injection points, and the project issue tracker documents the original report. Administrators are advised to upgrade promptly and to restrict direct access to the query API until patches are applied.

The associated EPSS score has reached a peak of 0.6062 with a current value of 0.5999, indicating sustained exploitation interest after disclosure. Public proof-of-concept material is available on Packet Storm.

EU & UK References

Vulnerability details

The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

casbin
casdoor
≤ 1.13.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References