CVE-2023-46954
📋 TL;DR
This SQL injection vulnerability in RelativityOne allows remote attackers to execute arbitrary SQL commands via the name parameter. Attackers can potentially read, modify, or delete database contents, and in worst cases execute arbitrary code on the server. Organizations using RelativityOne v.12.1.537.3 Patch 2 or earlier are affected.
💻 Affected Systems
- Relativity ODA LLC RelativityOne
📦 What is this software?
Relativityone by Relativity
Relativityone by Relativity
Relativityone by Relativity
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to data exfiltration, ransomware deployment, or persistent backdoor installation across the RelativityOne environment.
Likely Case
Database compromise allowing data theft, privilege escalation, or manipulation of legal case data within the Relativity platform.
If Mitigated
Limited impact with proper input validation, parameterized queries, and network segmentation preventing lateral movement.
🎯 Exploit Status
SQL injection via name parameter is straightforward to exploit with publicly available tools like sqlmap.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v.12.1.537.4 or later
Vendor Advisory: https://help.relativity.com/RelativityOne/Content/Relativity/Release_notes/RelativityOne_release_notes.htm
Restart Required: Yes
Instructions:
1. Contact Relativity support for patch availability 2. Schedule maintenance window 3. Apply patch following vendor instructions 4. Restart services 5. Verify fix
🔧 Temporary Workarounds
Web Application Firewall Rules
allImplement WAF rules to block SQL injection patterns in name parameter
Add WAF rule: Block requests containing SQL keywords in name parameter
Input Validation Filter
allAdd server-side validation to reject malicious name parameter values
Implement regex validation: ^[a-zA-Z0-9\s._-]{1,100}$
🧯 If You Can't Patch
- Isolate vulnerable systems behind additional network segmentation
- Implement strict input validation and parameterized queries in application code
🔍 How to Verify
Check if Vulnerable:
Test with controlled SQL injection payload in name parameter or check version against affected rangeCheck Version:
Check RelativityOne admin interface or contact vendor support for version informationVerify Fix Applied:
Attempt SQL injection in name parameter after patch - should return error or be blocked📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts with SQL patterns
- Unexpected database schema changes
Network Indicators:
- HTTP requests with SQL keywords in name parameter
- Unusual outbound database connections
SIEM Query:
source="web_logs" AND (name="*UNION*" OR name="*SELECT*" OR name="*INSERT*" OR name="*DELETE*")