Login Sign Up

CVE-2019-5476

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2019-5476 is an unauthenticated SQL injection vulnerability in Nextcloud Lookup-Server versions before 0.3.0. This allows attackers to execute arbitrary SQL commands on the lookup.nextcloud.com service, potentially compromising the entire database. All users running vulnerable versions of Nextcloud Lookup-Server are affected.

💻 Affected Systems

Products:
  • Nextcloud Lookup-Server
Versions: All versions < 0.3.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the Nextcloud Lookup-Server service running on lookup.nextcloud.com, not standard Nextcloud server installations.

📦 What is this software?

Lookup Server by Nextcloud

View all CVEs affecting Lookup Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, data manipulation, privilege escalation, and potential remote code execution via database functions.

🟠

Likely Case

Data theft from the lookup service database, potentially exposing user metadata and system information.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, though SQL injection attempts would still be logged.

🌐 Internet-Facing: HIGH - The vulnerability affects lookup.nextcloud.com which is internet-facing and accessible to unauthenticated users.
🏢 Internal Only: LOW - This specific vulnerability affects the public lookup service, not internal deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities are commonly exploited and this one requires no authentication, making it particularly dangerous.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.3.0 and later

Vendor Advisory: https://nextcloud.com/security/advisory/?id=NC-SA-2019-011

Restart Required: Yes

Instructions:

1. Update Nextcloud Lookup-Server to version 0.3.0 or later. 2. Restart the Lookup-Server service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Network Isolation

linux

Restrict access to the Lookup-Server to trusted networks only

iptables -A INPUT -p tcp --dport 443 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

  • Implement a Web Application Firewall (WAF) with SQL injection detection rules
  • Disable the Lookup-Server service entirely if not required

🔍 How to Verify

Check if Vulnerable:

Check the Lookup-Server version. If it's below 0.3.0, it's vulnerable.

Check Version:

Check the Lookup-Server configuration or deployment manifest for version information

Verify Fix Applied:

Confirm the Lookup-Server is running version 0.3.0 or higher and test SQL injection attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts from single IP
  • SQL syntax errors in application logs

Network Indicators:

  • HTTP requests containing SQL keywords (SELECT, UNION, etc.)
  • Unusual traffic patterns to lookup endpoints

SIEM Query:

source="web_logs" AND ("SELECT" OR "UNION" OR "FROM" OR "WHERE") AND status="200"

📊 Metadata

CVE ID: CVE-2019-5476
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: August 7, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-5476, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)