CVE-2023-42283

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Tyk Gateway version 5.0.3

Description The issue concerns a blind SQL injection in the api id parameter, allowing an attacker to access and dump the database via a crafted SQL query. This is related to the lack of protection measures for the SQL query structure in the Tyk Gateway implementation. Exploitation of this issue can enable a remote attacker to execute arbitrary SQL queries.

Recommendations For Tyk Gateway version 5.0.3, consider restricting access to the api id parameter to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the api id parameter in affected API endpoints until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

BDU:2023-08253

CVE-2023-42283

Affected Products

Tyk Gateway

CVE-2023-42283

Weakness Enumeration

Related Identifiers

Affected Products

References · 5