CVE-2023-37472

Name of the Vulnerable Software and Affected Versions Knowage versions prior to 8.1.8

Description Knowage is an open source suite for business analytics that uses user-supplied data to create HQL queries without prior sanitization. An attacker can create specially crafted HQL queries to break subsequent SQL queries generated by the Hibernate engine. The endpoint "/knowage/restful-services/2.0/documents/listDocument" calls the "countBIObjects" method of the "BIObjectDAOHibImpl" object with the user-supplied label parameter without prior sanitization, leading to SQL injection in the backing database. Other injections have been identified in the application as well. An authenticated attacker with low privileges could leverage this issue to retrieve sensitive information from the database, such as account credentials or business information.

Recommendations For versions prior to 8.1.8, upgrade to version 8.1.8 to address the issue. As a temporary workaround, consider restricting access to the "/knowage/restful-services/2.0/documents/listDocument" endpoint and limiting the use of the label parameter until the issue is resolved. Additionally, restrict access to the "countBIObjects" method of the "BIObjectDAOHibImpl" object to minimize the risk of exploitation.