Attacks could be mounted via manipulation of query operators in search criteria
Rapid7 has patched a critical SQL injection vulnerability in Nexpose, its on-premises vulnerability management software.
The flaw, which has a CVSS rating of 9.8, arose because valid search operators were not defined, according to the CVE description for the bug, which is tracked as CVE-2022-0757.
Consequently, attackers can inject SQL code after manipulating the ‘ALL’ or ‘ANY’ filter query operators in the SearchCriteria.
This issue affects all versions of Nexpose – alternately known as Security Console – up to and including 6.6.128.
XSS in the mix
Rapid7, a Massachusetts-based cybersecurity firm, addressed the issue in Nexpose version 6.6.129, released March 2.
The latest version also includes support for TLS 1.3 services, an added vulnerability check for Log4j, and additional Metasploit-based vulnerability coverage.
Residing in the shared scan configuration, the reflected XSS bug enables an attacker to “pass literal values as the test credentials, providing the opportunity for a potential XSS attack”, reads the description of CVE-2022-0758.
The CVSS-6.1 rated bug impacts versions 6.6.129 and earlier and was fixed in Security Console version 6.6.130, released on March 9.
The bugs were uncovered by Aleksey Solovev, security researcher at PT Swarm, the offensive team of Positive Technologies.
The Daily Swig has contacted Positive Technologies and Rapid7 with an invitation to comment further. We will update this article if and when they comment.