CVE-2022-24707 – CVE-2022-24707 is a SQL injection vulnerability... (How to Fix)

Q: What is the severity of CVE-2022-24707?

CVE-2022-24707 has a CVSS score of 7.4 (HIGH). CVE-2022-24707 is a SQL injection vulnerability in Anuko Time Tracker's Puncher plugin that allows attackers to execute arbitrary SQL commands via unsanitized date parameters in POST requests. This affects all users running Anuko Time Tracker versions prior to 1.20.0.5642. Successful exploitation could lead to database compromise, data theft, or unauthorized access.

📋 TL;DR

CVE-2022-24707 is a SQL injection vulnerability in Anuko Time Tracker's Puncher plugin that allows attackers to execute arbitrary SQL commands via unsanitized date parameters in POST requests. This affects all users running Anuko Time Tracker versions prior to 1.20.0.5642. Successful exploitation could lead to database compromise, data theft, or unauthorized access.

💻 Affected Systems

Products:

Anuko Time Tracker

Versions: All versions prior to 1.20.0.5642

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the Puncher plugin specifically, but affects the entire application when this plugin is enabled.

📦 What is this software?

Time Tracker by Anuko

View all CVEs affecting Time Tracker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data exfiltration, privilege escalation, or full system takeover through SQL injection leading to remote code execution.

🟠

Likely Case

Unauthorized data access, modification, or deletion of time tracking records, user credentials, and sensitive business information.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and web application firewall rules blocking SQL injection patterns.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the Puncher plugin functionality, which typically requires authentication, but the SQL injection itself is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.20.0.5642

Vendor Advisory: https://github.com/anuko/timetracker/security/advisories/GHSA-wqx7-95fx-wjxj

Restart Required: Yes

Instructions:

1. Backup your database and application files. 2. Download version 1.20.0.5642 or later from the official repository. 3. Replace existing files with patched version. 4. Restart your web server. 5. Verify the fix by checking version and testing functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Add custom input validation for date parameters in the Puncher plugin to reject malicious SQL patterns

Modify PHP code to validate date parameters using regex patterns and escape special characters

Web Application Firewall Rules

all

Implement WAF rules to block SQL injection patterns in POST requests to the Puncher plugin

Add WAF rules to detect and block SQL keywords in POST parameters: UNION, SELECT, INSERT, UPDATE, DELETE, DROP, etc.

🧯 If You Can't Patch

Disable the Puncher plugin entirely if not required for business operations
Implement network segmentation to restrict access to the Time Tracker application to authorized users only

🔍 How to Verify

Check if Vulnerable:

Check if your Anuko Time Tracker version is below 1.20.0.5642 by examining the version file or admin interface

Check Version:

Check the version.php file or login to admin panel and check system information

Verify Fix Applied:

After patching, verify the version shows 1.20.0.5642 or higher and test the Puncher plugin functionality with normal inputs

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in web server logs
Multiple failed login attempts followed by SQL injection patterns
POST requests to puncher.php with SQL keywords in parameters

Network Indicators:

HTTP POST requests containing SQL injection payloads in date parameters
Unusual database query patterns from web server IP

SIEM Query:

source="web_server" AND (url="*puncher.php*" AND (param="*UNION*" OR param="*SELECT*" OR param="*--*" OR param="*' OR '*"))

📊 Metadata

CVE ID: CVE-2022-24707

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CWE: CWE-89

Published: February 24, 2022

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/167060/Anuko-Time-Tracker-1.20.0.5640-SQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://github.com/anuko/timetracker/commit/0e2d6563e2d969209c502a1eae4ddd8e87b73299 Patch,Third Party Advisory
https://github.com/anuko/timetracker/security/advisories/GHSA-wqx7-95fx-wjxj Third Party Advisory
http://packetstormsecurity.com/files/167060/Anuko-Time-Tracker-1.20.0.5640-SQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://github.com/anuko/timetracker/commit/0e2d6563e2d969209c502a1eae4ddd8e87b73299 Patch,Third Party Advisory
https://github.com/anuko/timetracker/security/advisories/GHSA-wqx7-95fx-wjxj Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24707, you might also want to check these: