CVE-2022-24124
Published: 29 January 2022
Summary
CVE-2022-24124 is a high-severity SQL Injection (CWE-89) vulnerability in Casbin Casdoor. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Casdoor versions prior to 1.13.1 contain a SQL injection vulnerability in the query API, specifically involving unsanitized field and value parameters passed to endpoints such as api/get-organizations. The flaw is tracked as CWE-89 and carries a CVSS 3.1 base score of 7.5, reflecting network-accessible exploitation with no required credentials or user interaction that can disclose arbitrary database contents.
An unauthenticated remote attacker can supply crafted field and value inputs to the affected API to execute arbitrary SQL queries, enabling extraction of sensitive data stored by the Casdoor identity-management application. Because the vulnerable endpoints are reachable over HTTP or HTTPS without authentication, the attack can be launched from any network position that can reach the Casdoor instance.
Public references point to a fix released in version 1.13.1; the corresponding GitHub pull request and commit diff show remediation of the injection points, and the project issue tracker documents the original report. Administrators are advised to upgrade promptly and to restrict direct access to the query API until patches are applied.
The associated EPSS score has reached a peak of 0.6062 with a current value of 0.5999, indicating sustained exploitation interest after disclosure. Public proof-of-concept material is available on Packet Storm.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-1087
Vulnerability details
The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.