CVE-2022-36276 – CVE-2022-36276 is a critical SQL injection vuln... (How to Fix)

Q: What is the severity of CVE-2022-36276?

CVE-2022-36276 has a CVSS score of 9.9 (CRITICAL). CVE-2022-36276 is a critical SQL injection vulnerability in TCMAN GIM v8.0.1 that allows remote attackers to execute arbitrary SQL commands via the 'SqlWhere' parameter. This affects organizations using TCMAN GIM v8.0.1 for document management, potentially enabling attackers to access, modify, or delete database contents.

📋 TL;DR

CVE-2022-36276 is a critical SQL injection vulnerability in TCMAN GIM v8.0.1 that allows remote attackers to execute arbitrary SQL commands via the 'SqlWhere' parameter. This affects organizations using TCMAN GIM v8.0.1 for document management, potentially enabling attackers to access, modify, or delete database contents.

💻 Affected Systems

Products:

TCMAN GIM

Versions: v8.0.1

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the default installation of TCMAN GIM v8.0.1. The vulnerability exists in the 'BuscarESM' function.

📦 What is this software?

Gim by Tcman

View all CVEs affecting Gim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, privilege escalation, and potential remote code execution through database functions.

🟠

Likely Case

Unauthorized data access and extraction, potentially leading to sensitive information disclosure and data manipulation.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation in place.

🌐 Internet-Facing: HIGH - Directly exploitable via web interface without authentication, making internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to authenticated or network-accessible attackers.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly exploited with readily available tools. The CVSS score of 9.9 indicates high exploitability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v8.0.2 or later

Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim

Restart Required: Yes

Instructions:

1. Backup database and configuration. 2. Download latest version from vendor. 3. Install update following vendor instructions. 4. Restart application services. 5. Verify functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement web application firewall rules or input validation to block SQL injection patterns in 'SqlWhere' parameter

WAF rule: deny requests containing SQL keywords in SqlWhere parameter

Network Segmentation

all

Restrict access to TCMAN GIM application to authorized users only

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP" port protocol="tcp" port="APP_PORT" accept'
netsh advfirewall firewall add rule name="TCMAN Access" dir=in action=allow protocol=TCP localport=APP_PORT remoteip=TRUSTED_IP

🧯 If You Can't Patch

Implement strict input validation and parameterized queries in application code
Deploy web application firewall with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check application version in admin panel or configuration files. If version is 8.0.1, system is vulnerable.

Check Version:

Check application web interface or configuration files for version information

Verify Fix Applied:

Verify version is 8.0.2 or later. Test SQL injection attempts should be blocked or properly handled.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs
Multiple failed login attempts followed by SQL-like patterns in requests
Database error messages containing SQL syntax

Network Indicators:

HTTP requests with SQL keywords in parameters
Unusual database connection patterns from application server

SIEM Query:

source="web_logs" AND ("SqlWhere" AND ("SELECT", "UNION", "INSERT", "DELETE", "DROP", "OR 1=1"))

📊 Metadata

CVE ID: CVE-2022-36276

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

CWE: CWE-89

Published: October 4, 2023

Last Updated: November 21, 2024

🔗 References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim Third Party Advisory
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-36276, you might also want to check these: