CVE-2022-0362 – CVE-2022-0362 is a critical SQL injection vulne... (How to Fix)

Q: What is the severity of CVE-2022-0362?

CVE-2022-0362 has a CVSS score of 9.8 (CRITICAL). CVE-2022-0362 is a critical SQL injection vulnerability in showdoc documentation software that allows attackers to execute arbitrary SQL commands. This affects all showdoc installations prior to version 2.10.3. Attackers can potentially access, modify, or delete database content through this vulnerability.

📋 TL;DR

CVE-2022-0362 is a critical SQL injection vulnerability in showdoc documentation software that allows attackers to execute arbitrary SQL commands. This affects all showdoc installations prior to version 2.10.3. Attackers can potentially access, modify, or delete database content through this vulnerability.

💻 Affected Systems

Products:

showdoc/showdoc

Versions: All versions prior to 2.10.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all showdoc deployments regardless of configuration

📦 What is this software?

Showdoc by Showdoc

View all CVEs affecting Showdoc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining

🟠

Likely Case

Unauthorized database access allowing extraction of sensitive information, user credentials, and documentation content

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection requires authentication but is straightforward to exploit once authenticated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.10.3

Vendor Advisory: https://github.com/star7th/showdoc/commit/2b34e267e4186125f99bfa420140634ad45801fb

Restart Required: Yes

Instructions:

1. Backup your showdoc installation and database. 2. Update to showdoc version 2.10.3 or later via git pull or package update. 3. Restart the showdoc service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for all user-controlled parameters in SQL queries

Database Permission Reduction

all

Restrict database user permissions to minimum required operations

🧯 If You Can't Patch

Implement web application firewall (WAF) with SQL injection protection rules
Isolate showdoc instance behind authentication proxy with strict access controls

🔍 How to Verify

Check if Vulnerable:

Check showdoc version in admin panel or by examining the installation directory for version files

Check Version:

Check showdoc admin interface or examine showdoc/version.txt file

Verify Fix Applied:

Confirm version is 2.10.3 or later and test SQL injection attempts are properly blocked

📡 Detection & Monitoring

Log Indicators:

Unusual SQL query patterns in database logs
Multiple failed login attempts followed by SQL-like payloads in access logs

Network Indicators:

HTTP requests containing SQL keywords (SELECT, UNION, INSERT, etc.) in parameters

SIEM Query:

source="web_access_logs" AND (SELECT OR UNION OR INSERT OR DELETE) AND uri_path="/showdoc/*"

📊 Metadata

CVE ID: CVE-2022-0362

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: January 26, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/star7th/showdoc/commit/2b34e267e4186125f99bfa420140634ad45801fb Patch,Third Party Advisory
https://huntr.dev/bounties/e7c72417-eb8f-416c-8480-be76ac0a9091 Exploit,Third Party Advisory
https://github.com/star7th/showdoc/commit/2b34e267e4186125f99bfa420140634ad45801fb Patch,Third Party Advisory
https://huntr.dev/bounties/e7c72417-eb8f-416c-8480-be76ac0a9091 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0362, you might also want to check these: