Pimcore SQL Injection Vulnerability in Dependency Listing Endpoints

A SQL injection vulnerability has been identified in Pimcore, an open-source data and experience management platform, affecting versions through 11.5.14.1 and 12.3.2. The issue arises in the dependency listing endpoints, where the filter query parameter is JSON-decoded and the value field is directly concatenated into RLIKE clauses without proper sanitization or the use of parameterized queries. This vulnerability requires admin authentication to exploit. An attacker with access to the admin panel can extract the entire database, including password hashes of other admin users.

Impact

Exploitation of this vulnerability allows for SQL injection, with the potential to extract sensitive data from the database, including password hashes of admin users.

Reproduction

To reproduce this vulnerability, send a GET request to the '/admin/element/get-requires-dependencies' or '/admin/element/get-required-by-dependencies' endpoint. Include a 'filter' query parameter that is JSON-encoded. The 'value' field of the filter should be crafted to include a SQL injection payload, such as a string that breaks out of the expected context and into the SQL command, taking advantage of the RLIKE clause vulnerability.

Remediation

Users can upgrade to Pimcore versions 11.5.15 or 12.3.3, both of which contain the necessary patch to address this vulnerability.