SonicWall published a security advisory to patch critical SQL injection bug immediately
Image courtesy:CloudCow
On Friday, SonicWall brought up a security advisory to warn of a critical SQL injection flaw affecting the GMS (Global Management System) and Analytics On-Prem products.
The flaw, tracked as CVE-2022-22280, permits SQL injection due to improper neutralization of special elements used in an SQL Command.
It carries a severity rating of 9.4, categorizing it as “critical”, and is exploitable from the network without requiring authentication or user interaction, while it also has low attack complexity.
According to Bleeping Computer, SonicWall clarifies that they are not aware of any reports of active exploitation in the wild or the existence of a proof of concept (PoC) exploit for this vulnerability as of yet. However, applying the available security updates and mitigations is crucial to minimize the chances of attackers exploiting the bug.
“SonicWall PSIRT strongly suggests that organizations using the Analytics On-Prem version outlined below should upgrade to the respective patched version immediately,” reads the SonicWall advisories as per Bleeping Computer.
“SQL injection is a bug that allows attackers to modify a legitimate SQL query so that it performs unexpected behavior by inputting a string of specially crafted code in a web page’s form or URL query variables,” a source as per Bleeping Computer.
By using this flaw, it allows attackers to access data that they usually should not have access to, bypass authentication, or potentially delete data from the database.
