Cyber Resilience

CVE-2022-38812

MediumPublic PoC

Published: 31 August 2022

Published
31 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.1230 94.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-38812 is a medium-severity SQL Injection (CWE-89) vulnerability in Aerocms Project Aerocms. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

AeroCMS version 0.1.1 contains a SQL injection vulnerability in the author parameter, classified under CWE-89. The flaw resides in the content management system's handling of user-supplied input to database queries, allowing malformed data to alter query logic without proper sanitization or parameterization.

An attacker with low-privileged network access and no user interaction required can supply crafted input through the affected parameter. Successful exploitation yields high confidentiality impact by extracting arbitrary database contents while leaving integrity and availability unaffected, consistent with the CVSS 6.5 rating.

Public references consist of disclosure reports and proof-of-concept material published by nu11secur1ty on GitHub and a companion blog; these sources do not describe vendor patches, configuration workarounds, or official mitigation guidance.

The associated EPSS score reached a peak of 0.1575 after disclosure before settling at the current value of 0.1230, indicating measurable post-publication exploitation interest that warrants renewed attention for affected deployments.

EU & UK References

Vulnerability details

AeroCMS 0.1.1 is vulnerable to SQL Injection via the author parameter.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

aerocms project
aerocms
0.1.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References