CVE-2021-43851 – CVE-2021-43851 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-43851?

CVE-2021-43851 has a CVSS score of 8.1 (HIGH). CVE-2021-43851 is an SQL injection vulnerability in Anuko Time Tracker that allows attackers to execute arbitrary SQL commands via the 'group' and 'status' parameters in POST requests. This affects all users of Time Tracker version 1.19.33.5606 and prior. Successful exploitation could lead to data theft, modification, or deletion.

📋 TL;DR

CVE-2021-43851 is an SQL injection vulnerability in Anuko Time Tracker that allows attackers to execute arbitrary SQL commands via the 'group' and 'status' parameters in POST requests. This affects all users of Time Tracker version 1.19.33.5606 and prior. Successful exploitation could lead to data theft, modification, or deletion.

💻 Affected Systems

Products:

Anuko Time Tracker

Versions: 1.19.33.5606 and prior

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations with default configuration. The vulnerability exists in multiple PHP files including groups.php and files using status parameters.

📦 What is this software?

Time Tracker by Anuko

View all CVEs affecting Time Tracker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including theft of sensitive user data, credential extraction, and potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized data access and manipulation of time tracking records, user accounts, and organizational data.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but SQL injection via POST parameters is straightforward for attackers with valid credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.19.33.5607

Vendor Advisory: https://github.com/anuko/timetracker/security/advisories/GHSA-wx6x-6rq3-pqcc

Restart Required: No

Instructions:

1. Backup your current installation and database. 2. Download version 1.19.33.5607 or later from the official repository. 3. Replace all files with the patched version. 4. Verify the ttValidStatus and ttValidInteger functions are present in the codebase.

🔧 Temporary Workarounds

Input Validation Functions

all

Manually implement the ttValidStatus and ttValidInteger functions from the patched version to validate user inputs.

Copy functions from: https://github.com/anuko/timetracker/commit/0cf32f1046418aa2e5218b0b370064820c330c6a
Apply to all files using status and group parameters

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns in POST parameters
Restrict database user permissions to minimum required operations

🔍 How to Verify

Check if Vulnerable:

Check if your version is 1.19.33.5606 or earlier by examining the version.php file or checking the admin interface.

Check Version:

grep -r "define('APP_VERSION'" /path/to/timetracker/ or check admin dashboard

Verify Fix Applied:

Verify version is 1.19.33.5607 or later and confirm ttValidStatus and ttValidInteger functions exist in the codebase.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by POST requests with SQL-like patterns in parameters

Network Indicators:

POST requests to groups.php or other endpoints with SQL injection payloads in parameters

SIEM Query:

source="web_server" AND (method="POST" AND (uri="*groups.php*" OR parameters CONTAINS "' OR '1'='1" OR parameters CONTAINS "UNION SELECT"))

📊 Metadata

CVE ID: CVE-2021-43851

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-89

Published: December 22, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/anuko/timetracker/commit/0cf32f1046418aa2e5218b0b370064820c330c6a Patch,Third Party Advisory
https://github.com/anuko/timetracker/commit/94fda0cc0c9c20ab98d38ccc75ff040d13dc7f1b Patch,Third Party Advisory
https://github.com/anuko/timetracker/security/advisories/GHSA-wx6x-6rq3-pqcc Third Party Advisory
https://github.com/anuko/timetracker/commit/0cf32f1046418aa2e5218b0b370064820c330c6a Patch,Third Party Advisory
https://github.com/anuko/timetracker/commit/94fda0cc0c9c20ab98d38ccc75ff040d13dc7f1b Patch,Third Party Advisory
https://github.com/anuko/timetracker/security/advisories/GHSA-wx6x-6rq3-pqcc Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43851, you might also want to check these: