SUMMARY

The following vulnerability was found in ScienceLogic SL1.

CVE-2022-48593

A SQL injection vulnerability exists in the “topology data service” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database.

CVSS 3.1

8.8 (High) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AFFECTED PRODUCTS

  • ScienceLogic SL1 <= 11.1.2

SOFTWARE FIXES

Update to the latest version of ScienceLogic SL1.

TIMELINE

09.06.2022

Notified vendor of vulnerability

10.04.2022

Vendor hires law firm to manage disclosure

10.28.2022

Vendor refuses CVE issuance and disclosure

11.28.2022

Vendor’s legal team strongly advises against disclosing to MITRE

06.07.2023

Vendor notified of intent to issue CVEs and disclose vulnerabilities

08.09.2023

Public disclosure

ACKNOWLEDGMENTS

  • Ryan Wincey (b0yd)

REFERENCES