CVE-2022-45135 – This SQL injection vulnerability in Apache Coco... (How to Fix)

Q: What is the severity of CVE-2022-45135?

CVE-2022-45135 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in Apache Cocoon allows attackers to execute arbitrary SQL commands on affected systems. It affects Apache Cocoon versions 2.2.0 through 2.3.0 (excluding 2.3.0). Organizations using vulnerable Cocoon installations are at risk of data breaches and system compromise.

📋 TL;DR

This SQL injection vulnerability in Apache Cocoon allows attackers to execute arbitrary SQL commands on affected systems. It affects Apache Cocoon versions 2.2.0 through 2.3.0 (excluding 2.3.0). Organizations using vulnerable Cocoon installations are at risk of data breaches and system compromise.

💻 Affected Systems

Products:

Apache Cocoon

Versions: 2.2.0 through 2.3.0 (excluding 2.3.0)

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any Cocoon installation using vulnerable components is affected regardless of configuration.

📦 What is this software?

Cocoon by Apache

View all CVEs affecting Cocoon →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, or full system takeover via SQL command execution.

🟠

Likely Case

Unauthorized data access, data exfiltration, or database manipulation leading to information disclosure.

🟢

If Mitigated

Limited impact due to proper input validation, parameterized queries, or database permissions restricting SQL execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities typically have low exploitation complexity when unauthenticated access is possible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.0

Vendor Advisory: https://lists.apache.org/thread/lsvd1hmr2t2q823x21d5ygzgbj9jpvjp

Restart Required: Yes

Instructions:

1. Download Apache Cocoon 2.3.0 from official Apache repository. 2. Backup current installation. 3. Replace with version 2.3.0. 4. Restart Cocoon services. 5. Verify functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation and sanitization for all user inputs before processing.

Database Permission Reduction

all

Restrict database user permissions to minimum required operations.

🧯 If You Can't Patch

Implement web application firewall (WAF) with SQL injection rules
Isolate Cocoon instances behind network segmentation

🔍 How to Verify

Check if Vulnerable:

Check Cocoon version in configuration files or via admin interface. Versions 2.2.0 through 2.3.0 (excluding 2.3.0) are vulnerable.

Check Version:

Check cocoon.properties or web.xml for version information, or use Cocoon admin interface.

Verify Fix Applied:

Confirm version is 2.3.0 or higher. Test SQL injection vectors against protected endpoints.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in logs
Multiple failed SQL query attempts
Suspicious parameter values in HTTP requests

Network Indicators:

SQL keywords in HTTP parameters
Unusual database connection patterns
Excessive failed login attempts

SIEM Query:

source="cocoon.log" AND ("SQL" OR "syntax" OR "error") AND ("SELECT" OR "INSERT" OR "UPDATE" OR "DELETE")

📊 Metadata

CVE ID: CVE-2022-45135

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: November 30, 2023

Last Updated: February 13, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2023/11/30/3 Mailing List,Third Party Advisory
https://lists.apache.org/thread/lsvd1hmr2t2q823x21d5ygzgbj9jpvjp Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2023/11/30/3 Mailing List,Third Party Advisory
https://lists.apache.org/thread/lsvd1hmr2t2q823x21d5ygzgbj9jpvjp Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-45135, you might also want to check these: