Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-37472: HQL injections

Knowage is an open source suite for business analytics. The application often use user supplied data to create HQL queries without prior sanitization. An attacker can create specially crafted HQL queries that will break subsequent SQL queries generated by the Hibernate engine. The endpoint _/knowage/restful-services/2.0/documents/listDocument_ calls the _countBIObjects_ method of the _BIObjectDAOHibImpl_ object with the user supplied _label_ parameter without prior sanitization. This can lead to SQL injection in the backing database. Other injections have been identified in the application as well. An authenticated attacker with low privileges could leverage this vulnerability in order to retrieve sensitive information from the database, such as account credentials or business information. This issue has been addressed in version 8.1.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE
Open in Source
#sql#vulnerability#js#java#auth

Package

KnowageLabs / Knowage-Server (Knowage)

Affected versions

6.x.x, 7.x.x, 8.0.x, < 8.1.8

The application often use user supplied data to create HQL queries without prior sanitization.
An attacker can create specially crafted HQL queries that will break the subsequent SQL queries generated by the Hibernate engine.
Synacktiv experts identified that the endpoint /knowage/restful-services/2.0/documents/listDocument call the countBIObjects method of the BIObjectDAOHibImpl object with the user supplied label parameter without prior sanitization.

// knowage-core/src/main/java/it/eng/spagobi/api/v2/DocumentResource.java public String getDocumentSearchAndPaginate( /*[…]*/, @QueryParam(“label”) String label, /*[…]*/) throws EMFInternalError { // […] jo.put("itemCount", documentsDao.countBIObjects(label != null ? label : "", UserFilter));

return jo.toString();

// knowagedao/src/main/java/it/eng/spagobi/analiticalmodel/document/dao/BIObjectDAOHibImpl.java public Integer countBIObjects(String search, String user) throws EMFUserError { // […] String hql = "select count(*) from SbiObjects "; if (search != null || user != null) { hql += " where ";

    if (search != null) {
        hql += " label like '%" + search + "%'";
    }
}

Query hqlQuery = aSession.createQuery(hql);
Long temp = (Long) hqlQuery.uniqueResult();
/// \[...\]

We can prove the vulnerability by breaking the SQL query generated by Hibernate with the escape sequence “\’’” and call the MySQL function sleep, that will result in a delayed response from the server:

$ time curl -q -H 'Cookie: JSESSIONID=[...]' "http://localhost:8088/knowage/restful-services/2.0/documents/listDocument?label=a%5c'')+order+by+(select+sleep(5));--+-" >/dev/null

real    0m5,014s
user    0m0,010s
sys     0m0,000s

Other injections have been identified in the application, notably in the following files, but were demonstrated by Synacktiv experts has they either require authorization to be reached, or where not called by any identified endpoints or services:

  • knowagedao/src/main/java/it/eng/spagobi/tools/udp/dao/UdpValueDAOHibImpl.java@loadByReferenceIdAndUdpId
  • knowagedao/src/main/java/it/eng/spagobi/tools/udp/dao/UdpValueDAOHibImpl.java@findByReferenceId
  • knowagedao/src/main/java/it/eng/spagobi/tools/dataset/dao/SbiDataSetDAOImpl.java@countSbiDataSet
  • knowagedao/src/main/java/it/eng/spagobi/metadata/dao/SbiMetaTableDAOHibImpl.java@countSbiMetaTable

Impact

An authenticated attacker with low privileges could leverage this vulnerability in order to retrieve sensitive information from the database, such as account credentials or business information.

Patches

You need to upgrade to Knowage 8.1.8 or a later version.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE