CVE-2024-32480: LibreNMS vulnerable to a Time-Based Blind SQL injection leads to database extraction

April 22, 2024

Get a valid API token, make sure you can access api functions, then replace string on my PoC code, Test on offical OVA image, it’s a old version 23.9.1, but this vulerable is also exists on latest version 24.2.0

References

github.com/advisories/GHSA-jh57-j3vq-h438
github.com/librenms/librenms
github.com/librenms/librenms/commit/83fe4b10c440d69a47fe2f8616e290ba2bd3a27c
github.com/librenms/librenms/security/advisories/GHSA-jh57-j3vq-h438
nvd.nist.gov/vuln/detail/CVE-2024-32480

Code Behaviors & Features

Detect and mitigate CVE-2024-32480 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →