Miggo Logo
Miggo Vulnerability Database
CVE-2022-3799

CVE-2022-3799: IBAX go-ibax vulnerable to SQL injection

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-3799
GHSA ID
GHSA-fcgf-j8cf-h2rm
EPSS Score
0.18647%
CWE
CWE-89
Published
11/1/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/IBAX-io/go-ibaxgo< 1.4.21.4.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The GitHub issue #2060 explicitly shows vulnerable SQL query construction in database.go lines 92 and 120 using fmt.Sprintf with user-controlled parameters (order and table_name).
  2. The commit fix removed these endpoints entirely, indicating they were the attack surface.
  3. The POCs demonstrate time-based injection via pg_sleep in these exact parameters.
  4. Both functions handle API endpoints (/open/tablesInfo and /open/columnsInfo) mentioned in vulnerability descriptions.
  5. SQL string concatenation patterns match classic injection vulnerabilities (CWE-89).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility *l*ssi*i** *s *riti**l w*s *oun* in I**X *o-i**x. *****t** *y t*is vuln*r**ility is *n unknown *un*tion*lity o* t** *il* /*pi/v*/op*n/t**l*sIn*o. T** m*nipul*tion l***s to sql inj**tion. T** *tt**k **n ** l*un**** r*mot*ly. T** *xploi

Reasoning

*. T** *it*u* issu* #**** *xpli*itly s*ows vuln*r**l* SQL qu*ry *onstru*tion in **t***s*.*o lin*s ** *n* *** usin* *mt.Sprint* wit* us*r-*ontroll** p*r*m*t*rs (or**r *n* t**l*_n*m*). *. T** *ommit *ix r*mov** t**s* *n*points *ntir*ly, in*i**tin* t**y