Miggo Logo

CVE-2022-24827: SQL Injection in elide-datastore-aggregation

8.1

CVSS Score
3.1

Basic Information

EPSS Score
0.57386%
Published
4/8/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.yahoo.elide:elide-datastore-aggregationmaven= 6.1.36.1.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from a regex change in PR #2565 that added '-' as valid in TEXT parameters. The security fix in PR #2581 reverted this regex to exclude '-', indicating the validation() function was the injection vector. The TextType class's value validation directly controlled parameter sanitization for SQL generation, making it the logical vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n l*v*r**in* t** *ollowin* to**t**r: - *li** ***r***tion **t* Stor* *or *n*lyti* Qu*ri*s - P*r*m*t*riz** *olumns (* *olumn t**t r*quir*s * *li*nt provi*** p*r*m*t*r) - * p*r*m*t*riz** *olumn o* typ* T*XT T**r* is t** pot*nti*l *or * *

Reasoning

T** vuln*r**ility st*mm** *rom * r***x ***n** in PR #**** t**t ***** '-' *s v*li* in T*XT p*r*m*t*rs. T** s**urity *ix in PR #**** r*v*rt** t*is r***x to *x*lu** '-', in*i**tin* t** `v*li**tion()` *un*tion w*s t** inj**tion v**tor. T** `T*xtTyp*` *l*