Login Sign Up

CVE-2019-11343

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2019-11343 is a critical vulnerability in Torpedo Query versions before 2.5.3 where improper handling of the LIKE operator in ConditionBuilder.java, LikeCondition.java, and NotLikeCondition.java could allow SQL injection attacks. This affects applications using vulnerable versions of the Torpedo Query library for database operations. Attackers could potentially execute arbitrary SQL commands through crafted LIKE operator inputs.

💻 Affected Systems

Products:
  • Torpedo Query
Versions: All versions before 2.5.3
Operating Systems: All platforms running Java applications using Torpedo Query
Default Config Vulnerable: ⚠️ Yes
Notes: Any Java application using Torpedo Query library versions <2.5.3 with LIKE operator functionality is vulnerable.

📦 What is this software?

Torpedo Query by Torpedoquery

View all CVEs affecting Torpedo Query →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise including data exfiltration, modification, or deletion, and potential remote code execution on the database server.

🟠

Likely Case

SQL injection leading to unauthorized data access, privilege escalation, or data manipulation.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place, though the vulnerability still exists in the library.

🌐 Internet-Facing: HIGH - Applications exposed to the internet using vulnerable Torpedo Query versions are at significant risk of exploitation.
🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities typically have low exploitation complexity, though specific exploit details for this CVE are not publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.3

Vendor Advisory: https://github.com/xjodoin/torpedoquery/commit/3c20b874fba9cc2a78b9ace10208de1602b56c3f

Restart Required: Yes

Instructions:

1. Update Torpedo Query dependency to version 2.5.3 or later in your project's build configuration (Maven pom.xml or Gradle build.gradle). 2. Rebuild and redeploy your application. 3. Restart the application server.

🔧 Temporary Workarounds

Input Validation for LIKE Parameters

all

Implement strict input validation for all parameters used with LIKE operators to prevent SQL injection.

Use Parameterized Queries

all

Ensure all database queries using Torpedo Query are parameterized rather than using string concatenation with LIKE operators.

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to detect and block SQL injection attempts targeting LIKE operators.
  • Isolate database servers and implement strict network segmentation to limit potential damage from successful exploitation.

🔍 How to Verify

Check if Vulnerable:

Check your project's dependency management file (pom.xml for Maven, build.gradle for Gradle) for Torpedo Query version. If version is less than 2.5.3, you are vulnerable.

Check Version:

For Maven: mvn dependency:tree | grep torpedoquery | For Gradle: gradle dependencies | grep torpedoquery

Verify Fix Applied:

After updating, verify the Torpedo Query version in your build output or dependency tree shows 2.5.3 or higher.

📡 Detection & Monitoring

Log Indicators:

  • Unusual database query patterns with LIKE operators
  • SQL syntax errors in application logs
  • Unexpected database access patterns

Network Indicators:

  • Unusual database traffic patterns
  • Multiple failed query attempts with special characters

SIEM Query:

SELECT * FROM application_logs WHERE message LIKE '%LIKE%' AND (message LIKE '%SQL%error%' OR message LIKE '%syntax%error%')

📊 Metadata

CVE ID: CVE-2019-11343
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: March 12, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON