CVE-2021-22851 – CVE-2021-22851 is a critical SQL injection vuln... (How to Fix)

Q: What is the severity of CVE-2021-22851?

CVE-2021-22851 has a CVSS score of 9.8 (CRITICAL). CVE-2021-22851 is a critical SQL injection vulnerability in HGiga EIP products that allows attackers to execute arbitrary SQL commands via the document management page URL parameter. This enables attackers to extract database schema information and sensitive data. Organizations using vulnerable HGiga EIP installations are affected.

📋 TL;DR

CVE-2021-22851 is a critical SQL injection vulnerability in HGiga EIP products that allows attackers to execute arbitrary SQL commands via the document management page URL parameter. This enables attackers to extract database schema information and sensitive data. Organizations using vulnerable HGiga EIP installations are affected.

💻 Affected Systems

Products:

HGiga EIP

Versions: Specific affected versions not publicly detailed in references, but all versions with vulnerable document management functionality

Operating Systems: All platforms running HGiga EIP

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the document management page URL parameter handling. No special configuration required for exploitation.

📦 What is this software?

Oaklouds Openid by Hgiga

View all CVEs affecting Oaklouds Openid →

Oaklouds Openid by Hgiga

View all CVEs affecting Oaklouds Openid →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including extraction of all stored data, credential theft, potential lateral movement to connected systems, and full system takeover.

🟠

Likely Case

Data exfiltration of sensitive business information, user credentials, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation, WAF protection, and network segmentation preventing database access.

🌐 Internet-Facing: HIGH - Directly exploitable via web interface without authentication, making internet-facing instances immediate targets.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via URL parameter is straightforward for attackers with basic web application testing skills. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Specific version not provided in references, contact HGiga for patched versions

Vendor Advisory: https://www.twcert.org.tw/tw/cp-132-4327-50e99-1.html

Restart Required: Yes

Instructions:

1. Contact HGiga support for security patches. 2. Apply provided patches according to vendor instructions. 3. Restart affected services. 4. Verify fix implementation.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns in URL parameters

WAF-specific configuration commands vary by vendor

Input Validation Filter

all

Add input validation to sanitize URL parameters before processing

Application-specific code modifications required

🧯 If You Can't Patch

Isolate affected systems from internet and restrict network access to necessary services only
Implement strict monitoring for SQL injection attempts and database access patterns

🔍 How to Verify

Check if Vulnerable:

Test document management page URL parameters with SQL injection payloads (e.g., ' OR '1'='1) and monitor for database errors or unexpected responses

Check Version:

Check HGiga EIP administration interface or contact vendor for version information

Verify Fix Applied:

Retest with SQL injection payloads after patch application; successful patches should return error messages or reject malicious input

📡 Detection & Monitoring

Log Indicators:

SQL syntax errors in application logs
Unusual database query patterns
Multiple failed parameter validation attempts

Network Indicators:

HTTP requests with SQL keywords in URL parameters
Unusual database connection patterns from web servers

SIEM Query:

web.url:*sql* OR web.url:*union* OR web.url:*select* AND dest_ip:[HGiga_EIP_IP]

📊 Metadata

CVE ID: CVE-2021-22851

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: January 19, 2021

Last Updated: November 21, 2024

🔗 References

https://www.chtsecurity.com/news/eb024200-7cf9-4c58-a063-c451dbc9daef Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-4327-50e99-1.html Third Party Advisory
https://www.chtsecurity.com/news/eb024200-7cf9-4c58-a063-c451dbc9daef Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-4327-50e99-1.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22851, you might also want to check these: