CVE-2022-41208 An attacker with user privileges can alter a user's session.

CVE-2022-41208 An attacker with user privileges can alter a user's session.

To exploit the vulnerability, an attacker must be able to log in to the targeted application with user privileges. The update causes certain parameters of the SQL query to be filtered, preventing the injection of malicious code. Unfortunately, due to insufficient input validation, this filter can be bypassed. As a result, a malicious user can inject SQL code into the database, allowing the injection of code that allows the viewing or modification of information. In order to exploit the vulnerability, an attacker must be able to log in to the targeted application with user privileges. The update causes certain parameters of the SQL query to be filtered, preventing the injection of malicious code. Unfortunately, due to insufficient input validation, this filter can be bypassed. As a result, a malicious user can inject SQL code into the database, allowing the injection of code that allows the viewing or modification of information.

Vulnerable versions

The following versions are vulnerable to this issue:
- Windows Server 2003 Service Pack 2,
- Windows Vista,
- Windows 7,
- Windows Server 2008 R2,
- Windows 8,
- Windows Server 2012.

What is Apache TomEE?

Apache TomEE is a Java EE application server for enterprise applications. It is a fully managed, open source, and free to use enterprise application server with built-in clustering capabilities.
TomEE extends the functionality of the Java EE platform with clustered and high-availability features. For example, TomEE provides a web-based management console that allows administrators to quickly access deployment, monitoring, and diagnostics information across multiple nodes in the cluster.

Vulnerable code example

The following query will return all of the accounts with an older password less than 8 characters long.
SELECT * FROM Users WHERE Password_len

SQL Injection

SQL injection is a type of computer security vulnerability that occurs when an application that uses or displays untrusted data from a database incorrectly performs input validation on user input, allowing users to execute statements in SQL, which can be potentially destructive.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe