CVE-2024-37896

SQL injection vulnerability in Gin-vue-admin

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Gin-vue-admin is a backstage management system based on vue and gin. Gin-vue-admin <= v2.6.5 has SQL injection vulnerability. The SQL injection vulnerabilities occur when a web application allows users to input data into SQL queries without sufficiently validating or sanitizing the input. Failing to properly enforce restrictions on user input could mean that even a basic form input field can be used to inject arbitrary and potentially dangerous SQL commands. This could lead to unauthorized access to the database, data leakage, data manipulation, or even complete compromise of the database server. This vulnerability has been addressed in commit `53d033821` which has been included in release version 2.6.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Gin-vue-admin es un sistema de gestión detrás de escena basado en vue y gin. Gin-vue-admin <= v2.6.5 tiene una vulnerabilidad de inyección SQL. Las vulnerabilidades de inyección SQL ocurren cuando una aplicación web permite a los usuarios ingresar datos en consultas SQL sin validar o sanitizar suficientemente la entrada. No aplicar adecuadamente las restricciones a la entrada del usuario podría significar que incluso un campo de entrada de formulario básico pueda usarse para inyectar comandos SQL arbitrarios y potencialmente peligrosos. Esto podría provocar un acceso no autorizado a la base de datos, una fuga de datos, una manipulación de datos o incluso un compromiso total del servidor de la base de datos. Esta vulnerabilidad se solucionó en el commit `53d033821` que se incluyó en la versión 2.6.6. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

*Credits: N/A

CVSS Scores

GitHubv3.1 8.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-06-10 CVE Reserved
2024-06-17 CVE Published
2024-06-18 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CAPEC

References (2)

URL	Tag	Source
https://github.com/flipped-aurora/gin-vue-admin/commit/53d03382188868464ade489ab0713b54392d227f	X_refsource_misc
https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-gf3r-h744-mqgp	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Flipped-aurora Search vendor "Flipped-aurora"		Gin-vue-admin Search vendor "Flipped-aurora" for product "Gin-vue-admin"				< 2.6.6 Search vendor "Flipped-aurora" for product "Gin-vue-admin" and version " < 2.6.6"		en		Affected