CVE-2024-29871 – This SQL injection vulnerability in Sentrifugo ... (How to Fix)

Q: What is the severity of CVE-2024-29871?

CVE-2024-29871 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in Sentrifugo 3.2 allows remote attackers to execute arbitrary SQL commands through the 'id' parameter in specific endpoints. Successful exploitation could lead to complete database compromise, including data theft, modification, or deletion. All organizations running vulnerable Sentrifugo instances are affected.

📋 TL;DR

This SQL injection vulnerability in Sentrifugo 3.2 allows remote attackers to execute arbitrary SQL commands through the 'id' parameter in specific endpoints. Successful exploitation could lead to complete database compromise, including data theft, modification, or deletion. All organizations running vulnerable Sentrifugo instances are affected.

💻 Affected Systems

Products:

Sentrifugo

Versions: 3.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific endpoints /sentrifugo/index.php/index/getdepartments and /sentrifugo/index.php/index/updatecontactnumber

📦 What is this software?

Sentrifugo by Sapplica

View all CVEs affecting Sentrifugo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data exfiltration, data destruction, authentication bypass, or full system takeover via subsequent attacks.

🟠

Likely Case

Unauthorized access to sensitive HR data, personal information theft, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation, WAF protection, and database permission restrictions preventing data extraction.

🌐 Internet-Facing: HIGH - The vulnerable endpoints are accessible via web interface, making internet-facing instances immediately exploitable.

🏢 Internal Only: HIGH - Even internally hosted instances remain vulnerable to internal attackers or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly weaponized, and this appears to be a straightforward parameter injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for latest patched version

Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo

Restart Required: No

Instructions:

1. Review vendor advisory for patch details. 2. Update to latest Sentrifugo version. 3. Apply input validation fixes to affected endpoints. 4. Test functionality after patching.

🔧 Temporary Workarounds

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns in the 'id' parameter

Input Validation Filter

all

Implement server-side input validation to restrict 'id' parameter to expected numeric values only

🧯 If You Can't Patch

Implement strict input validation on the affected endpoints to only accept expected numeric values
Restrict network access to Sentrifugo instances using firewall rules and network segmentation

🔍 How to Verify

Check if Vulnerable:

Test the affected endpoints with SQL injection payloads in the 'id' parameter and monitor for database errors or unexpected responses

Check Version:

Check Sentrifugo version in application interface or configuration files

Verify Fix Applied:

Attempt SQL injection tests after patching and verify they are blocked or sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple rapid requests to affected endpoints with suspicious parameters
Database query patterns with concatenated user input

Network Indicators:

HTTP requests containing SQL keywords in 'id' parameter
Unusual database connection patterns from web server

SIEM Query:

web.url:*getdepartments* OR web.url:*updatecontactnumber* AND (web.param.id:SELECT OR web.param.id:UNION OR web.param.id:OR)

📊 Metadata

CVE ID: CVE-2024-29871

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: March 21, 2024

Last Updated: January 24, 2025

🔗 References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo Third Party Advisory
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29871, you might also want to check these: