Worklenz SQL Injection Vulnerability in Project Management and Reporting Components

A critical SQL injection vulnerability has been identified in Worklenz, a project management tool, prior to version 2.1.7. This vulnerability arises from improper validation of user input in SQL query construction, affecting various backend controllers and endpoints. The flaw allows authenticated attackers with low privileges to manipulate SQL queries, leading to potential data exfiltration, unauthorized data modification, and mass deletion of records. The vulnerability has been patched in version 2.1.7.

Impact

Exploitation of this vulnerability allows for Boolean-based blind SQL injection, manipulation of IN clause filters, interpolation of user-controlled strings into SQL queries, and execution of mass deletion attacks via crafted DELETE statements.

Reproduction

The vulnerability can be reproduced by sending a request to an affected endpoint with manipulated query parameters that exploit the SQL injection flaw. This can include using the 'flatString()' helper for IN clause injections or manipulating ORDER BY parameters to achieve Boolean-based blind SQL injection.

Remediation

Users are advised to upgrade to Worklenz version 2.1.7 or later. The vulnerability has been patched by refactoring SQL query construction to use parameterized queries, implementing comprehensive input validation, and introducing a new 'SqlHelper' utility class for secure query building.