Rocket Software Rocket Zena SQL Injection Vulnerability in Version 4.4.1.26
Vulnerability
A SQL injection vulnerability has been identified in Rocket Software Rocket Zena version 4.4.1.26. The issue arises in the 'filter' parameter, where insufficient input sanitization allows attackers to manipulate database queries. This vulnerability requires authentication as a standard user to exploit.
Impact
Exploitation of this vulnerability allows for authenticated SQL injection, enabling attackers to interfere with the application's database queries. This could lead to unauthorized data access or manipulation.
Reproduction
To reproduce this vulnerability, an authenticated user can search the logs of processed tasks using the 'filter' parameter. Inserting a single quote into this parameter will trigger a SQL error, indicating the presence of a SQL injection vulnerability. Once confirmed, the injection can be exploited by crafting a payload that, for example, retrieves the database version.
Remediation
Users are advised to update to Rocket Zena version 4.4.2.50 or later, where this vulnerability has been fixed. For those unable to update immediately, deploying a Web Application Firewall (WAF) that can detect and block common SQL injection payloads is recommended.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.