CVE-2024-5356
📋 TL;DR
This critical SQL injection vulnerability in anji-plus AJ-Report allows remote attackers to execute arbitrary SQL commands via the dynSentence parameter in the /dataSet/testTransform endpoint. Organizations using AJ-Report versions up to 1.4.1 are affected, potentially exposing database contents and system integrity.
💻 Affected Systems
- anji-plus AJ-Report
📦 What is this software?
Aj Report by Anji Plus
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, or full system takeover via SQL injection escalation.
Likely Case
Unauthorized data access, extraction of sensitive information, and potential database corruption.
If Mitigated
Limited impact with proper input validation, parameterized queries, and network segmentation in place.
🎯 Exploit Status
Exploit details are publicly available in GitHub issues and PDF documentation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://github.com/anji-plus/report/issues/34
Restart Required: No
Instructions:
Monitor GitHub repository for official patch. Consider upgrading to version after 1.4.1 when available.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation for dynSentence parameter to block SQL injection patterns
Modify application code to sanitize dynSentence input using parameterized queries
Endpoint Restriction
allBlock or restrict access to /dataSet/testTransform endpoint
Configure web server (nginx/apache) to deny access to /dataSet/testTransform
Use firewall rules to block the endpoint
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) with SQL injection rules
- Network segmentation to isolate AJ-Report from critical databases
🔍 How to Verify
Check if Vulnerable:
Check if AJ-Report version is ≤1.4.1 and /dataSet/testTransform endpoint is accessibleCheck Version:
Check application configuration files or web interface for version informationVerify Fix Applied:
Test the endpoint with SQL injection payloads to confirm they're blocked📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple requests to /dataSet/testTransform with SQL-like patterns
Network Indicators:
- HTTP POST requests to /dataSet/testTransform containing SQL keywords
SIEM Query:
source="web_logs" AND uri="/dataSet/testTransform" AND (request CONTAINS "SELECT" OR request CONTAINS "UNION" OR request CONTAINS "INSERT")🔗 References
- https://github.com/anji-plus/report/files/15363269/aj-report.pdf
- https://github.com/anji-plus/report/issues/34
- https://vuldb.com/?ctiid.266268
- https://vuldb.com/?id.266268
- https://vuldb.com/?submit.338486
- https://github.com/anji-plus/report/files/15363269/aj-report.pdf
- https://github.com/anji-plus/report/issues/34
- https://vuldb.com/?ctiid.266268
- https://vuldb.com/?id.266268
- https://vuldb.com/?submit.338486
