CVE-2017-15367 – CVE-2017-15367 is a critical SQL injection vuln... (How to Fix)

Q: What is the severity of CVE-2017-15367?

CVE-2017-15367 has a CVSS score of 9.8 (CRITICAL). CVE-2017-15367 is a critical SQL injection vulnerability in Bacula-web versions before 8.0.0-rc2 that allows attackers to execute arbitrary SQL queries against the Bacula database. This could lead to unauthorized data access, privilege escalation, and potentially full server compromise depending on database configuration. All organizations running vulnerable Bacula-web installations are affected.

📋 TL;DR

CVE-2017-15367 is a critical SQL injection vulnerability in Bacula-web versions before 8.0.0-rc2 that allows attackers to execute arbitrary SQL queries against the Bacula database. This could lead to unauthorized data access, privilege escalation, and potentially full server compromise depending on database configuration. All organizations running vulnerable Bacula-web installations are affected.

💻 Affected Systems

Products:

Bacula-web

Versions: All versions before 8.0.0-rc2

Operating Systems: All operating systems running Bacula-web

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. The vulnerability exists in multiple SQL query parameters across the application.

📦 What is this software?

Bacula Web by Bacula

View all CVEs affecting Bacula Web →

Bacula Web by Bacula

View all CVEs affecting Bacula Web →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data exfiltration, privilege escalation to root/system access, and potential lateral movement within the network.

🟠

Likely Case

Unauthorized access to backup data, modification of backup records, and potential credential theft from the Bacula database.

🟢

If Mitigated

Limited to read-only database access if proper database permissions are configured, with no privilege escalation path.

🌐 Internet-Facing: HIGH - SQL injection vulnerabilities are easily exploitable and Bacula-web is often exposed for remote administration.

🏢 Internal Only: HIGH - Even internal attackers or compromised systems could exploit this to gain database access and escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit code is publicly available on Exploit-DB (ID: 44272). Authentication to Bacula-web is required, but SQL injection can bypass authorization checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.0.0-rc2 and later

Vendor Advisory: http://bacula-web.org/download/articles/bacula-web-8-0-0-rc2.html

Restart Required: No

Instructions:

1. Backup current configuration. 2. Download Bacula-web 8.0.0-rc2 or later from official site. 3. Replace existing installation with patched version. 4. Verify database connectivity. 5. Test application functionality.

🔧 Temporary Workarounds

Database Permission Restriction

all

Limit database user permissions to read-only access for Bacula-web application account

GRANT SELECT ON bacula.* TO 'bacula_web_user'@'localhost';
REVOKE INSERT, UPDATE, DELETE, DROP, CREATE, ALTER ON bacula.* FROM 'bacula_web_user'@'localhost';

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting Bacula-web endpoints

🧯 If You Can't Patch

Isolate Bacula-web server from internet and restrict network access to authorized administrators only
Implement strict database account permissions with minimal privileges required for Bacula-web functionality

🔍 How to Verify

Check if Vulnerable:

Check Bacula-web version in web interface or configuration files. If version is below 8.0.0-rc2, system is vulnerable.

Check Version:

grep '\$version' /path/to/bacula-web/include/config.inc.php 2>/dev/null || cat /path/to/bacula-web/VERSION 2>/dev/null

Verify Fix Applied:

Verify version is 8.0.0-rc2 or higher and test SQL injection payloads no longer work.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by complex URL parameters
Web server logs showing SQL keywords in GET/POST parameters

Network Indicators:

HTTP requests containing SQL injection patterns to Bacula-web endpoints
Unusual database connections from web server IP

SIEM Query:

source="web_logs" AND (url="*bacula-web*" AND (param="*UNION*" OR param="*SELECT*" OR param="*INSERT*" OR param="*DELETE*" OR param="*' OR '1'='1*"))

📊 Metadata

CVE ID: CVE-2017-15367

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: March 7, 2018

Last Updated: November 21, 2024

🔗 References

http://bacula-web.org/download/articles/bacula-web-8-0-0-rc2.html Release Notes,Vendor Advisory
http://bugs.bacula-web.org/view.php?id=211 Issue Tracking,Vendor Advisory
https://github.com/bacula-web/bacula-web/commit/90d4c44a0dd0d65c6fb3ab2417b83d700c8413ae Patch,Third Party Advisory
https://www.exploit-db.com/exploits/44272/ Exploit,Third Party Advisory,VDB Entry
http://bacula-web.org/download/articles/bacula-web-8-0-0-rc2.html Release Notes,Vendor Advisory
http://bugs.bacula-web.org/view.php?id=211 Issue Tracking,Vendor Advisory
https://github.com/bacula-web/bacula-web/commit/90d4c44a0dd0d65c6fb3ab2417b83d700c8413ae Patch,Third Party Advisory
https://www.exploit-db.com/exploits/44272/ Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-15367, you might also want to check these: