CVE-2022-24407: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

February 24, 2022 (updated November 9, 2023)

In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.

References

www.openwall.com/lists/oss-security/2022/02/23/4
github.com/cyrusimap/cyrus-sasl/blob/fdcd13ceaef8de684dc69008011fa865c5b4a3ac/docsrc/sasl/release-notes/2.1/index.rst
nvd.nist.gov/vuln/detail/CVE-2022-24407
www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html
www.debian.org/security/2022/dsa-5087

Code Behaviors & Features

Detect and mitigate CVE-2022-24407 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →