Miggo Logo

CVE-2022-26245: SQLinjection in falcon-plus

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.81425%
Published
3/28/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/open-falcon/falcon-plusgo<= 0.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The function GetHostsFromGroup in host.go directly interpolates the grpName parameter into an SQL query using fmt.Sprintf without proper sanitization or parameterization. This allows attackers to inject arbitrary SQL commands through the grpName parameter. The GitHub issue #951 explicitly shows the vulnerable code pattern where user-controlled input flows into the SQL query construction.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**l*on-plus v*.* w*s *is*ov*r** to *ont*in * SQL inj**tion vuln*r**ility vi* t** p*r*m*t*r *rpN*m* in /*on*i*/s*rvi**/*ost.*o.

Reasoning

T** *un*tion `**t*osts*rom*roup` in `*ost.*o` *ir**tly int*rpol*t*s t** `*rpN*m*` p*r*m*t*r into *n SQL qu*ry usin* `*mt.Sprint*` wit*out prop*r s*nitiz*tion or p*r*m*t*riz*tion. T*is *llows *tt**k*rs to inj**t *r*itr*ry SQL *omm*n*s t*rou** t** `*rp