CVE-2022-38812
Published: 31 August 2022
Summary
CVE-2022-38812 is a medium-severity SQL Injection (CWE-89) vulnerability in Aerocms Project Aerocms. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
AeroCMS version 0.1.1 contains a SQL injection vulnerability in the author parameter, classified under CWE-89. The flaw resides in the content management system's handling of user-supplied input to database queries, allowing malformed data to alter query logic without proper sanitization or parameterization.
An attacker with low-privileged network access and no user interaction required can supply crafted input through the affected parameter. Successful exploitation yields high confidentiality impact by extracting arbitrary database contents while leaving integrity and availability unaffected, consistent with the CVSS 6.5 rating.
Public references consist of disclosure reports and proof-of-concept material published by nu11secur1ty on GitHub and a companion blog; these sources do not describe vendor patches, configuration workarounds, or official mitigation guidance.
The associated EPSS score reached a peak of 0.1575 after disclosure before settling at the current value of 0.1230, indicating measurable post-publication exploitation interest that warrants renewed attention for affected deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-41372
Vulnerability details
AeroCMS 0.1.1 is vulnerable to SQL Injection via the author parameter.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.