1. What is this vulnerability and why does it matter?

This vulnerability, identified as CVE-2024-5356, is a critical SQL injection flaw found in anji-plus AJ-Report versions up to 1.4.1. It matters significantly because it allows remote attackers to execute arbitrary SQL commands by manipulating the 'dynSentence' argument within the '/dataSet/testTransform;swagger-ui' endpoint. Such an exploit can lead to unauthorized access, modification, or deletion of sensitive database information, potentially compromising the integrity, confidentiality, and availability of data. The existence of publicly disclosed exploits further increases its criticality, posing an immediate threat to affected systems.

2. What are the CVSS score, severity level, and disclosure details?

The CVSS score for this vulnerability is 9.8, indicating a critical severity level. The vulnerability was classified as critical in its description. It was published on 2024-05-26 07:31:04 UTC and last modified on 2024-08-01 21:11:12 UTC. The exploit details have been publicly disclosed and are available for use.

3. Which products, vendors, systems, and versions are affected?

4. What is the technical root cause and attack vector?

The technical root cause is an SQL injection vulnerability (CWE-89) arising from the improper neutralization of special elements used in an SQL command. Specifically, the application fails to adequately sanitize or validate user-supplied input for the 'dynSentence' argument. The attack vector is remote, allowing an unauthenticated attacker to manipulate this argument within an unknown function associated with the '/dataSet/testTransform;swagger-ui' file or endpoint.

5. How can this vulnerability be exploited?

This vulnerability can be exploited by a remote attacker who crafts malicious input for the 'dynSentence' argument. By injecting SQL code into this parameter when interacting with the '/dataSet/testTransform;swagger-ui' endpoint, the attacker can cause the application to execute arbitrary database queries. Since exploits have been publicly disclosed and are available, the attack can be readily performed by individuals with knowledge of SQL injection techniques and access to the public exploit.

6. What mitigation steps and patches are available?

Specific patch information was not detailed in the provided CVE data. However, as versions up to 1.4.1 are affected, it is strongly recommended that users update anji-plus AJ-Report to a version beyond 1.4.1 as soon as possible, once a fix is released by the vendor. In the absence of an immediate patch, potential temporary mitigations might include:

• Implementing Web Application Firewall (WAF) rules to detect and block SQL injection attempts against the '/dataSet/testTransform;swagger-ui' endpoint and the 'dynSentence' parameter.
• Restricting network access to the AJ-Report application and particularly to the affected endpoint.
• Ensuring that the database user account used by AJ-Report has only the minimum necessary privileges.

7. How can vulnerable systems be detected?

Vulnerable systems can be detected by:

• Identifying the version of anji-plus AJ-Report installed. Any instance running version 1.4.1 or earlier is considered vulnerable.
• Scanning web application logs for unusual or malformed requests targeting the '/dataSet/testTransform;swagger-ui' endpoint, especially those containing SQL keywords or special characters within the 'dynSentence' parameter.
• Utilizing vulnerability scanners capable of detecting SQL injection flaws.

8. What are the indicators of compromise (IOCs)?

Indicators of Compromise (IOCs) for this vulnerability may include:

• Unusual or unexpected database queries observed in the AJ-Report application's database logs.
• Evidence of unauthorized data access, modification, or deletion within the database associated with AJ-Report.
• HTTP requests to the '/dataSet/testTransform;swagger-ui' endpoint containing suspicious SQL syntax in the 'dynSentence' parameter.
• Unexpected outgoing network connections from the database server or the AJ-Report host.
• Error messages from the database appearing in application logs, indicating failed SQL queries.

9. Which threat actors are known to exploit this vulnerability?

While the provided information states that active exploits have been published and are publicly available, it does not name specific threat actors currently exploiting this vulnerability. The public availability of exploit code indicates that a wide range of threat actors, from opportunistic attackers to more sophisticated groups, could potentially leverage this flaw.

10. What public intelligence references and advisories exist?

Public intelligence references and advisories for this vulnerability include:

• CVE Identifier: CVE-2024-5356
• VDB Identifier: VDB-266268

The exploit details have been publicly disclosed, increasing the risk.

11. What is the risk assessment and urgency level?

The risk assessment for CVE-2024-5356 is extremely high, denoted by a CVSS score of 9.8, classifying it as critical. The vulnerability is a remotely exploitable SQL injection, which can lead to complete compromise of database confidentiality, integrity, and availability. The urgency level for addressing this vulnerability is immediate and critical, primarily due to:

• Its critical severity rating.
• The ability for remote exploitation.
• The public disclosure and availability of active exploits, increasing the likelihood of widespread attacks.

Organizations using affected versions of anji-plus AJ-Report should prioritize patching or implementing mitigating controls without delay.