Bentley ProjectWise Integration Server SQL Injection Vulnerability via API Calls
Vulnerability
A vulnerability in Bentley Systems ProjectWise Integration Server versions prior to 10.00.03.288 allows authenticated users to execute unintended SQL queries through an API. This could be exploited to bypass access controls or manipulate data in the SQL database. Bentley is planning to deprecate this API in future versions, but current users should be aware of the potential for abuse by insiders with knowledge of the application.
Impact
Exploitation of this vulnerability could lead to unauthorized data access or manipulation, including bypassing access controls and tampering with database information.
Remediation
Users should upgrade to ProjectWise Integration Server version 10.00.03.288 or later and enable the SQL Allow List feature to reduce the risk of malicious SQL query execution. ProjectWise Cloud users should open a service ticket to request the SQL Allow List be activated for their instance.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.