CVE-2023-2681
📋 TL;DR
An authenticated SQL injection vulnerability in Jorani 1.0.0 allows low-privilege users to execute arbitrary SQL queries via the /leaves/validate endpoint's id parameter. This enables attackers to extract sensitive data from the database. Organizations running Jorani 1.0.0 for leave management are affected.
💻 Affected Systems
- Jorani
📦 What is this software?
Jorani by Jorani
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including extraction of all user credentials, personal data, and administrative access leading to full system takeover.
Likely Case
Extraction of sensitive employee data (personal information, leave records), potential privilege escalation, and data manipulation.
If Mitigated
Limited to authenticated low-privilege user data access if proper input validation and parameterized queries are implemented.
🎯 Exploit Status
SQL injection via authenticated endpoint with known vulnerable parameter makes exploitation straightforward for attackers with basic skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.1 or later
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/jorani-sql-injection
Restart Required: Yes
Instructions:
1. Backup your Jorani database and configuration. 2. Download Jorani 1.0.1 or later from official repository. 3. Replace vulnerable files with patched version. 4. Restart web server and verify functionality.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allImplement WAF rules to block SQL injection patterns targeting /leaves/validate endpoint and id parameter.
Input Validation Filter
allAdd server-side validation to reject non-numeric values in the id parameter.
🧯 If You Can't Patch
- Restrict access to Jorani application to trusted IP addresses only using network ACLs or firewall rules.
- Implement database monitoring to detect unusual SQL queries and set up alerts for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check if running Jorani version 1.0.0 by examining application version in admin interface or configuration files.Check Version:
Check Jorani configuration files or admin dashboard for version information.Verify Fix Applied:
After patching, verify version shows 1.0.1 or later and test /leaves/validate endpoint with SQL injection test payloads to confirm they're blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs
- Multiple failed authentication attempts followed by SQL injection patterns
- Unusual database queries from Jorani application user
Network Indicators:
- HTTP POST requests to /leaves/validate with SQL injection patterns in id parameter
- Unusual database connection patterns from web server
SIEM Query:
source="jorani_logs" AND (url_path="/leaves/validate" AND (param="id" AND value MATCHES "[';]|UNION|SELECT"))