CVE-2022-24407

HIGH

Cyrus SASL 2.1.17-2.1.27 - SQL Injection via Unescaped Password in SQL Plugin

Title source: llm
STIX 2.1

Description

In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.

References (10)

Core 10
Core References
Mailing List, Patch, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2022/02/23/4
Third Party Advisory vendor-advisory
https://www.debian.org/security/2022/dsa-5087
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/03/msg00002.html

Scores

CVSS v3 8.8
EPSS 0.0043
EPSS Percentile 62.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (12)
cyrusimap/cyrus-sasl 2.1.17 - 2.1.27
debian/debian_linux 9.0
debian/debian_linux 10.0
debian/debian_linux 11.0
fedoraproject/fedora 34
fedoraproject/fedora 35
fedoraproject/fedora 36
netapp/active_iq_unified_manager
netapp/ontap_select_deploy_administration_utility
oracle/communications_cloud_native_core_console 22.2.0
... and 2 more
Published Feb 24, 2022
Tracked Since Feb 18, 2026