CVE-2022-24407 — HIGH (8.8)

Q: What is CVE-2022-24407?

CVE-2022-24407 is a vulnerability with a CVSS score of 8.8 (HIGH). In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.

Q: How severe is CVE-2022-24407?

CVE-2022-24407 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-24407?

Check the references section above for vendor advisories and patch information. Affected products include: Cyrusimap Cyrus-Sasl, Debian Debian Linux, Fedoraproject Fedora, Netapp Active Iq Unified Manager, Netapp Ontap Select Deploy Administration Utility.

Vulnerability Description

In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Cyrusimap	Cyrus-Sasl	>= 2.1.17, <= 2.1.27
Debian	Debian Linux	9.0
Fedoraproject	Fedora	34
Netapp	Active Iq Unified Manager	-
Netapp	Ontap Select Deploy Administration Utility	-
Oracle	Communications Cloud Native Core Console	22.2.0
Oracle	Communications Cloud Native Core Network Function Cloud Native Environment	22.2.0
Oracle	Communications Cloud Native Core Security Edge Protection Proxy	22.1.1

Related Weaknesses (CWE)

CWE-89

References

http://www.openwall.com/lists/oss-security/2022/02/23/4Mailing ListPatchThird Party Advisory
https://github.com/cyrusimap/cyrus-sasl/blob/fdcd13ceaef8de684dc69008011fa865c5bRelease NotesThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00002.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.netapp.com/advisory/ntap-20221007-0003/Third Party Advisory
https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28Release NotesVendor Advisory
https://www.debian.org/security/2022/dsa-5087Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
http://www.openwall.com/lists/oss-security/2022/02/23/4Mailing ListPatchThird Party Advisory
https://github.com/cyrusimap/cyrus-sasl/blob/fdcd13ceaef8de684dc69008011fa865c5bRelease NotesThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00002.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2022-24407?

CVE-2022-24407 is a vulnerability with a CVSS score of 8.8 (HIGH). In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.

How severe is CVE-2022-24407?

CVE-2022-24407 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-24407?

Check the references section above for vendor advisories and patch information. Affected products include: Cyrusimap Cyrus-Sasl, Debian Debian Linux, Fedoraproject Fedora, Netapp Active Iq Unified Manager, Netapp Ontap Select Deploy Administration Utility.