CVE-2022-3802

Name of the Vulnerable Software and Affected Versions go-ibax versions starting from commits on Jul 18, 2020

Description A critical issue has been found in go-ibax, allowing for SQL injection. This is due to the manipulation of the where argument in the /api/v2/open/rowsInfo endpoint, which can be initiated remotely. The issue affects the /packages/api/database.go file and can lead to identity spoofing, data tampering, disclosure of all data on the system, data destruction, or making data unavailable, and potentially allowing attackers to become database server administrators.

Recommendations For versions starting from commits on Jul 18, 2020, consider disabling the where parameter in the /api/v2/open/rowsInfo endpoint as a temporary workaround until a patch is available. Restrict access to the /packages/api/database.go file to minimize the risk of exploitation. Avoid using the where parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.