CVE-2022-0944 – This vulnerability allows remote code execution... (How to Fix)

Q: What is the severity of CVE-2022-0944?

CVE-2022-0944 has a CVSS score of 7.2 (HIGH). This vulnerability allows remote code execution (RCE) through template injection in SQLPad's connection test endpoint. Attackers can execute arbitrary code on the server by crafting malicious template payloads. Organizations running SQLPad versions prior to 6.10.1 are affected.

📋 TL;DR

This vulnerability allows remote code execution (RCE) through template injection in SQLPad's connection test endpoint. Attackers can execute arbitrary code on the server by crafting malicious template payloads. Organizations running SQLPad versions prior to 6.10.1 are affected.

💻 Affected Systems

Products:

SQLPad

Versions: All versions prior to 6.10.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments with the vulnerable endpoint accessible.

📦 What is this software?

Sqlpad by Sqlpad

View all CVEs affecting Sqlpad →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Unauthorized database access, data exfiltration, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper network segmentation and minimal privileges.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the connection test endpoint, which typically requires authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.10.1

Vendor Advisory: https://github.com/sqlpad/sqlpad/commit/3f92be386c6cd3e5eba75d85f0700d3ef54daf73

Restart Required: Yes

Instructions:

1. Stop SQLPad service. 2. Update to version 6.10.1 or later via package manager or manual installation. 3. Restart SQLPad service.

🔧 Temporary Workarounds

Disable connection test endpoint

all

Remove or restrict access to the vulnerable /api/test-connection endpoint

Configure web server (nginx/apache) to block /api/test-connection
Use application firewall rules to restrict endpoint

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach SQLPad
Apply principle of least privilege to SQLPad service account and database connections

🔍 How to Verify

Check if Vulnerable:

Check SQLPad version via web interface or package manager. Versions <6.10.1 are vulnerable.

Check Version:

npm list sqlpad (if installed via npm) or check package.json version

Verify Fix Applied:

Confirm version is 6.10.1 or higher and test connection endpoint no longer accepts template injection.

📡 Detection & Monitoring

Log Indicators:

Unusual template syntax in connection test requests
Multiple failed connection attempts with template payloads

Network Indicators:

POST requests to /api/test-connection containing template injection patterns

SIEM Query:

source="sqlpad" AND (uri_path="/api/test-connection" AND request_body MATCHES "\{\{.*\}\}")

📊 Metadata

CVE ID: CVE-2022-0944

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1336

Published: March 15, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/sqlpad/sqlpad/commit/3f92be386c6cd3e5eba75d85f0700d3ef54daf73 Patch,Third Party Advisory
https://huntr.dev/bounties/46630727-d923-4444-a421-537ecd63e7fb Exploit,Third Party Advisory
https://github.com/sqlpad/sqlpad/commit/3f92be386c6cd3e5eba75d85f0700d3ef54daf73 Patch,Third Party Advisory
https://huntr.dev/bounties/46630727-d923-4444-a421-537ecd63e7fb Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0944, you might also want to check these: