Miggo Logo

CVE-2019-15563: OHDSI WebAPI vulnerable to SQL Injection

9.8

CVSS Score
3.0

Basic Information

EPSS Score
0.58588%
Published
5/24/2022
Updated
4/17/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.ohdsi:WebAPImaven< 2.7.22.7.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe string concatenation in SQL query construction:

  1. The original code used String.format() with raw user inputs like searchTerm and timeWindow in WHERE clauses
  2. Parameters were embedded directly into SQL strings without parameterization or proper escaping
  3. The patch adds QuoteUtils.escapeSql() to sanitize inputs, confirming these were injection points
  4. The CWE-89 classification and commit message explicitly reference SQL injection in this service class
  5. Vulnerable patterns match classic SQL injection vectors in JDBC-free string interpolation contexts

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

O*s*rv*tion*l ***lt* **t* S*i*n**s *n* In*orm*ti*s (O**SI) W***PI ***or* *.*.* *llows SQL inj**tion in `***tur**xtr**tionS*rvi**.j*v*`.

Reasoning

T** vuln*r**ility st*ms *rom uns*** strin* *on**t*n*tion in SQL qu*ry *onstru*tion: *. T** ori*in*l *o** us** Strin*.*orm*t() wit* r*w us*r inputs lik* s**r**T*rm *n* tim*Win*ow in W**R* *l*us*s *. P*r*m*t*rs w*r* *m****** *ir**tly into SQL strin*s w