CVE-2022-27978 – CVE-2022-27978 is an improper input validation ... (How to Fix)

Q: What is the severity of CVE-2022-27978?

CVE-2022-27978 has a CVSS score of 7.5 (HIGH). CVE-2022-27978 is an improper input validation vulnerability in Tooljet v1.6 that allows attackers to reset arbitrary user passwords via crafted API requests. This affects all Tooljet v1.6 deployments with default configurations. Attackers can compromise user accounts without authentication.

📋 TL;DR

CVE-2022-27978 is an improper input validation vulnerability in Tooljet v1.6 that allows attackers to reset arbitrary user passwords via crafted API requests. This affects all Tooljet v1.6 deployments with default configurations. Attackers can compromise user accounts without authentication.

💻 Affected Systems

Products:

Tooljet

Versions: v1.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of Tooljet v1.6 are vulnerable regardless of configuration. The vulnerability exists in the core API handling.

📦 What is this software?

Tooljet by Tooljet

View all CVEs affecting Tooljet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of all users, leading to data exfiltration, privilege escalation, and potential lateral movement within the Tooljet environment.

🟠

Likely Case

Targeted password resets for specific users, resulting in unauthorized access to sensitive Tooljet applications and data.

🟢

If Mitigated

Minimal impact if proper network segmentation, authentication controls, and monitoring are in place to detect and block exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a crafted HTTP request to the vulnerable API endpoint. No authentication or special privileges are needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.7.0

Vendor Advisory: https://github.com/fourcube/security-advisories/blob/main/security-advisories/20220320-tooljet.md

Restart Required: Yes

Instructions:

1. Backup your Tooljet instance. 2. Update Tooljet to version 1.7.0 or later. 3. Restart the Tooljet service. 4. Verify the update was successful.

🔧 Temporary Workarounds

API Endpoint Restriction

all

Block or restrict access to the vulnerable password reset API endpoint using web application firewall or reverse proxy rules.

# Example nginx location block
location ~* /api/password-reset {
    deny all;
}

🧯 If You Can't Patch

Implement strict network access controls to limit Tooljet API access to trusted IP addresses only.
Enable detailed logging for all authentication-related API calls and monitor for suspicious password reset attempts.

🔍 How to Verify

Check if Vulnerable:

Check if Tooljet version is 1.6 by accessing the admin panel or checking the deployment configuration.

Check Version:

docker exec tooljet cat /app/package.json | grep version

Verify Fix Applied:

Confirm Tooljet version is 1.7.0 or later and test password reset functionality with invalid inputs.

📡 Detection & Monitoring

Log Indicators:

Multiple failed password reset attempts from single IP
Password reset requests with malformed or missing parameters
Successful password resets for non-existent users

Network Indicators:

HTTP POST requests to /api/password-reset with crafted payloads
Unusual spike in authentication-related API traffic

SIEM Query:

source="tooljet" AND (url_path="/api/password-reset" OR event_type="password_reset")

📊 Metadata

CVE ID: CVE-2022-27978

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-755

Published: April 26, 2023

Last Updated: February 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-27978, you might also want to check these: