Miggo Logo
Miggo Vulnerability Database
CVE-2022-24124

CVE-2022-24124: SQL Injection in Casdoor

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-24124
GHSA ID
GHSA-m358-g4rp-533r
EPSS Score
0.98301%
CWE
CWE-89
Published
2/1/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/casdoor/casdoorgo< 1.13.11.13.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The pre-patch version of GetSession in object/adapter.go used unsanitized user input (field parameter) to construct SQL queries via fmt.Sprintf("%s like ?", util.SnakeString(field)). This allowed SQL injection through special characters in the 'field' parameter. The patch added a filterField() check with a regex (^[A-Za-z0-9]+$) to validate() the field parameter, confirming the original vulnerability. Multiple API endpoints (like get-organizations) relied on this function, making it the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** qu*ry *PI in **s*oor ***or* *.**.* **s * SQL inj**tion vuln*r**ility r*l*t** to t** *i*l* *n* v*lu* p*r*m*t*rs, *s **monstr*t** *y *pi/**t-or**niz*tions.

Reasoning

T** pr*-p*t** v*rsion o* `**tS*ssion` in `o*j**t/***pt*r.*o` us** uns*nitiz** us*r input (*i*l* p*r*m*t*r) to *onstru*t SQL qu*ri*s vi* `*mt.Sprint*("%s lik* ?", util.Sn*k*Strin*(*i*l*))`. T*is *llow** SQL inj**tion t*rou** sp**i*l ***r**t*rs in t**