CVE-2021-39165: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

August 30, 2021

Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the SearchableTrait#scopeSearch(). Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator’s password and session. The original repository of Cachet https://github.com/CachetHQ/Cachet is not active, the stable version 2.3.18 and it’s developing 2.4 branch is affected.

References

github.com/advisories/GHSA-79mg-4w23-4fqc
github.com/fiveai/Cachet/commit/27bca8280419966ba80c6fa283d985ddffa84bb6
github.com/fiveai/Cachet/security/advisories/GHSA-79mg-4w23-4fqc
nvd.nist.gov/vuln/detail/CVE-2021-39165

Detect and mitigate CVE-2021-39165 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →