Login Sign Up

CVE-2023-28437

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2023-28437 is a SQL injection vulnerability in Dataease open source data visualization tool caused by incomplete SQL injection blacklist protection. Attackers can execute arbitrary SQL commands against the database. All Dataease users running versions before 1.18.5 are affected.

💻 Affected Systems

Products:
  • Dataease
Versions: All versions before 1.18.5
Operating Systems: All platforms running Dataease
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments of Dataease before version 1.18.5 are vulnerable regardless of configuration.

📦 What is this software?

Dataease by Dataease

View all CVEs affecting Dataease →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution on the database server.

🟠

Likely Case

Unauthorized data access, data exfiltration, and potential data corruption through SQL injection attacks.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation in place.

🌐 Internet-Facing: HIGH - Web applications with SQL injection vulnerabilities are prime targets for automated scanning and exploitation.
🏢 Internal Only: HIGH - Internal attackers or compromised internal systems can exploit this vulnerability to access sensitive data.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities typically have low exploitation complexity, especially when blacklist-based protections are incomplete.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.18.5

Vendor Advisory: https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56

Restart Required: Yes

Instructions:

1. Backup your Dataease instance and database. 2. Download version 1.18.5 from GitHub releases. 3. Stop the Dataease service. 4. Replace with patched version. 5. Restart the service. 6. Verify functionality.

🔧 Temporary Workarounds

No official workarounds

all

The vendor states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

  • Implement network segmentation to isolate Dataease from sensitive systems
  • Deploy a web application firewall (WAF) with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check Dataease version via web interface admin panel or by examining deployment files for version information.

Check Version:

Check Dataease web interface admin panel or configuration files for version number.

Verify Fix Applied:

Confirm version is 1.18.5 or later in admin panel and test SQL injection protection with safe test payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts with SQL-like payloads
  • Unexpected database errors in application logs

Network Indicators:

  • HTTP requests containing SQL keywords like UNION, SELECT, INSERT in parameters
  • Unusual database connection patterns

SIEM Query:

source="dataease" AND (http_uri="*UNION*" OR http_uri="*SELECT*" OR http_uri="*INSERT*" OR http_uri="*DELETE*")

📊 Metadata

CVE ID: CVE-2023-28437
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: March 25, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28437, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)