CVE-2022-3947 - Critical Vulnerability in eolinker goku_lite: SQL Injection via route/keyword Argument in /balance/service/list

A critical vulnerability has been identified in eolinker goku_lite, a widely used API management platform. This vulnerability, which has been assigned the identifier CVE-2022-3947, affects an unknown part of the file /balance/service/list and can be exploited remotely. The vulnerability was discovered in the manipulation of the route/keyword argument, leading to SQL injection. The exploit has now been disclosed to the public and is available for potential malicious use. This vulnerability has been assigned the identifier VDB-213453 in vulnerability databases.

Vulnerability Details

The eolinker goku_lite vulnerability enables an attacker to inject malicious SQL code via the route/keyword argument in the /balance/service/list file. This allows the attacker to manipulate or exfiltrate sensitive data from the targeted system, potentially leading to unauthorized access or further compromise.

Code Snippet

The following code snippet demonstrates the manipulation of the route/keyword argument in the /balance/service/list file, leading to SQL Injection:

GET /balance/service/list?route/keyword=' UNION SELECT 1,version(),3,4,5-- HTTP/1.1
Host: target.example.com
...

In the above code snippet, the attacker is manipulating the route/keyword argument by using a UNION statement to combine the injected SQL code with the original query. This can lead to unintended and potentially harmful consequences for the affected application.

Original References

The vulnerability was initially reported by the research team at the security firm [Example Security]. More details about this vulnerability can be found in the links below:

1. Original Vulnerability Disclosure: eolinker goku_lite CVE-2022-3947 Advisory
2. CVE Details: CVE-2022-3947
3. National Vulnerability Database (NVD) Entry: NVD - CVE-2022-3947

Exploit Details

The vulnerability has been disclosed to the public and can potentially be exploited by attackers. It is crucial for administrators and users of eolinker goku_lite to apply patches and upgrades as soon as possible to mitigate the risks associated with CVE-2022-3947.

Identify a target system running eolinker goku_lite.

2. Create a malicious GET request, manipulating the route/keyword argument (as shown in the code snippet provided earlier).

Keep eolinker goku_lite updated with the latest security patches and upgrades.

- Implement input validation and sanitization in the application to prevent malicious inputs, such as SQL injection attempts.

Conclusion

CVE-2022-3947 is a critical vulnerability in eolinker goku_lite, which allows remote attackers to conduct SQL injection attacks via the route/keyword argument in the /balance/service/list file. It is essential for users and administrators of this software to apply necessary security measures, such as patching, upgrading, and implementing input validation, to mitigate the risks associated with this vulnerability.

Timeline

Published on: 11/11/2022 13:15:00 UTC
Last modified on: 11/15/2022 21:05:00 UTC