CVE-2024-55159
📋 TL;DR
GFast versions 2.0 through 3.2 contain a SQL injection vulnerability in the login log listing endpoint. Attackers can inject malicious SQL queries through the SortName parameter, potentially accessing or manipulating database contents. This affects all GFast deployments using vulnerable versions.
💻 Affected Systems
- GFast
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise including authentication bypass, data exfiltration, or complete system takeover via SQL injection leading to remote code execution.
Likely Case
Unauthorized data access from the login logs table and potentially other database tables accessible to the application's database user.
If Mitigated
Limited impact due to proper input validation, parameterized queries, or database user privilege restrictions.
🎯 Exploit Status
Exploitation requires access to the login log endpoint, which typically requires authentication. The vulnerability is in the Go source code at line 75 of sys_login_log.go.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.3 or later
Vendor Advisory: https://github.com/tiger1103/gfast
Restart Required: Yes
Instructions:
1. Upgrade GFast to version 3.3 or later. 2. Review and apply the fix in sys_login_log.go line 75. 3. Restart the GFast application service.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to reject malicious SortName parameter values
Implement regex validation: ^[a-zA-Z0-9_]+$ for SortName parameter
WAF Rule
allBlock SQL injection patterns in the SortName parameter
Add WAF rule: Detect SQL injection patterns in POST/GET parameters to /system/loginLog/list
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with SQL injection protection rules
- Restrict network access to the GFast application to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check if GFast version is between 2.0 and 3.2 inclusive, and review sys_login_log.go line 75 for unsafe SQL concatenation.Check Version:
Check GFast configuration files or application metadata for version informationVerify Fix Applied:
Verify GFast version is 3.3 or later, and confirm sys_login_log.go line 75 uses parameterized queries or proper input sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in application logs
- Multiple failed login attempts with unusual SortName parameters
- Database error messages containing SQL syntax
Network Indicators:
- HTTP requests to /system/loginLog/list with SQL keywords in parameters
- Unusual database query patterns from application server
SIEM Query:
source="web_logs" AND uri="/system/loginLog/list" AND (param="SortName" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|exec|--|#)")