CVE-2022-1731
📋 TL;DR
Metasonic Doc WebClient versions 7.0.14.0, 7.0.12.0, and 7.0.3.0 contain a SQL injection vulnerability in the username field when SSO or System authentication is enabled. This allows authenticated attackers to execute arbitrary SQL commands on the database. Organizations using these vulnerable configurations are affected.
💻 Affected Systems
- Metasonic Doc WebClient
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, privilege escalation, and potential remote code execution on the database server.
Likely Case
Unauthorized data access, extraction of sensitive information, and potential lateral movement within the database environment.
If Mitigated
Limited impact due to proper input validation, parameterized queries, and database permission restrictions.
🎯 Exploit Status
Requires authenticated access with SSO or System authentication enabled. SQL injection in username field is typically straightforward to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0.15.0 or later
Vendor Advisory: https://www.tenable.com/security/research/tra-2022-17
Restart Required: Yes
Instructions:
1. Download and install Metasonic Doc WebClient version 7.0.15.0 or later from the vendor. 2. Restart the WebClient service. 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable SSO/System Authentication
windowsTemporarily disable Single Sign-On or System authentication to remove the vulnerable condition.
Configure authentication settings in Metasonic Doc WebClient administration panel
Implement WAF Rules
allDeploy web application firewall rules to block SQL injection patterns in username fields.
Add WAF rule: Detect and block SQL injection patterns in POST parameters
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries at the application layer
- Apply database-level controls: minimal privileges, query logging, and intrusion detection
🔍 How to Verify
Check if Vulnerable:
Check WebClient version in administration panel and verify if SSO or System authentication is enabled.Check Version:
Check version in Metasonic Doc WebClient administration interface or installation directory propertiesVerify Fix Applied:
Confirm installation of version 7.0.15.0 or later and test username field with SQL injection test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual database queries from WebClient application
- SQL error messages in application logs
- Multiple failed login attempts with SQL syntax
Network Indicators:
- POST requests to login endpoints containing SQL keywords in username parameter
- Unusual database traffic patterns from WebClient server
SIEM Query:
source="webclient_logs" AND (message="*SQL*" OR message="*syntax*" OR message="*injection*")