CVE-2022-28111 – This CVE describes a time-blind SQL injection v... (How to Fix)

Q: What is the severity of CVE-2022-28111?

CVE-2022-28111 has a CVSS score of 9.8 (CRITICAL). This CVE describes a time-blind SQL injection vulnerability in MyBatis PageHelper. Attackers can exploit the orderBy parameter to execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion. All applications using vulnerable versions of MyBatis PageHelper are affected.

📋 TL;DR

This CVE describes a time-blind SQL injection vulnerability in MyBatis PageHelper. Attackers can exploit the orderBy parameter to execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion. All applications using vulnerable versions of MyBatis PageHelper are affected.

💻 Affected Systems

Products:

MyBatis PageHelper

Versions: v1.x.x-v3.7.0, v4.0.0-v5.0.0, v5.1.0-v5.3.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all configurations using the vulnerable orderBy parameter functionality.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, modification, deletion, and potential remote code execution via database functions.

🟠

Likely Case

Data extraction from the database, including sensitive information like user credentials, personal data, and business records.

🟢

If Mitigated

Limited impact due to proper input validation, parameterized queries, and database permission restrictions.

🌐 Internet-Facing: HIGH - Web applications using vulnerable versions expose database to external attackers.

🏢 Internal Only: MEDIUM - Internal applications still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Time-blind SQL injection requires timing analysis but is well-documented and relatively easy to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.3.1 and later

Vendor Advisory: https://github.com/pagehelper/Mybatis-PageHelper/issues/674

Restart Required: Yes

Instructions:

1. Update MyBatis PageHelper dependency to version 5.3.1 or later. 2. Update pom.xml or build.gradle with new version. 3. Rebuild and redeploy application. 4. Restart application server.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to sanitize orderBy parameter inputs

Implement custom filter/interceptor to validate orderBy parameter against whitelist of allowed column names

Database Permission Reduction

all

Restrict database user permissions to minimum required

REVOKE unnecessary privileges from application database user

🧯 If You Can't Patch

Implement WAF rules to block SQL injection patterns in orderBy parameter
Deploy database firewall to monitor and block suspicious SQL queries

🔍 How to Verify

Check if Vulnerable:

Check project dependency file (pom.xml or build.gradle) for MyBatis PageHelper version within vulnerable ranges

Check Version:

grep -i pagehelper pom.xml || grep -i pagehelper build.gradle

Verify Fix Applied:

Confirm MyBatis PageHelper version is 5.3.1 or later in dependency file and verify application functions correctly

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries with time delays
Multiple failed orderBy parameter attempts
Suspicious orderBy parameter values

Network Indicators:

HTTP requests with crafted orderBy parameters containing SQL keywords
Unusually long response times for orderBy requests

SIEM Query:

web_access_logs | where orderBy contains any('sleep', 'waitfor', 'benchmark', 'pg_sleep')

📊 Metadata

CVE ID: CVE-2022-28111

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: May 4, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/pagehelper/Mybatis-PageHelper Product,Third Party Advisory
https://github.com/pagehelper/Mybatis-PageHelper.git Product,Third Party Advisory
https://github.com/pagehelper/Mybatis-PageHelper/issues/674 Third Party Advisory
https://github.com/yangfar/CVE/blob/main/CVE-2022-42227.md Exploit,Third Party Advisory
https://pagehelper.github.io/ Product,Third Party Advisory
https://www.cnblogs.com/secload/articles/16061420.html Exploit,Third Party Advisory
https://github.com/pagehelper/Mybatis-PageHelper Product,Third Party Advisory
https://github.com/pagehelper/Mybatis-PageHelper.git Product,Third Party Advisory
https://github.com/pagehelper/Mybatis-PageHelper/issues/674 Third Party Advisory
https://github.com/yangfar/CVE/blob/main/CVE-2022-42227.md Exploit,Third Party Advisory
https://pagehelper.github.io/ Product,Third Party Advisory
https://www.cnblogs.com/secload/articles/16061420.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28111, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Pagehelper by Pagehelper Project

Pagehelper by Pagehelper Project

Pagehelper by Pagehelper Project

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input Validation Filter

Database Permission Reduction

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities