CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

CVE-2023-6905

CVE-2023-6903

CVE-2023-6904

CVE-2023-3907

The application was vulnerable to multiple instances of SQL injection (authenticated and unauthenticated) through a vulnerable parameter. Due to the stacked query support, complex SQL commands could be crafted and injected into the vulnerable parameter and using a sleep based inferential SQL injection it was possible to extract data from the database.

Discovered by Nelson Fernandes on behalf of The Missing Link Security

**Vulnerability Details**

The application was vulnerable to multiple instances of SQL injection (authenticated and unauthenticated) through a vulnerable parameter. Due to the stacked query support, complex SQL commands could be crafted and injected into the vulnerable parameter and using a sleep based inferential SQL injection it was possible to extract data from the database.

**Affected Versions**

Discovered in: 21.0.2

**Fixed Versions**

Fixed in: 21.0.3

Headline

CVE-2022-3059: SQL injection in Schoolbox version 21.0.2, by Schoolbox Pty Ltd.

CVE: Latest News