dns-stats hedgehog src/DSCIOManager.cpp dsc_import_input_from_source sql injection ⚔ [Disputed]
A vulnerability was found in dns-stats hedgehog. It has been rated as problematic. Affected by this issue is the function DSCIOManager::dsc_import_input_from_source
of the file src/DSCIOManager.cpp. The manipulation leads to sql injection. Using CWE to declare the problem leads to CWE-89. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. The weakness was released 12/24/2022 as 190. The advisory is available at github.com.
This vulnerability is handled as CVE-2021-4276. The attack may be launched remotely. Technical details are available. Furthermore, there is an exploit available. The exploit has been disclosed to the public and may be used. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment. This vulnerability is assigned to T1505 by the MITRE ATT&CK project.
It is declared as proof-of-concept. The exploit is available at github.com. As 0-day the estimated underground price was around $0-$5k. The real existence of this vulnerability is still doubted at the moment. We do assume that the Data Manager server can only be accessed by authorised users. Because of this, we don’t believe this specific attack is possible without such a compromise of the Data Manager server.
The patch is identified as 58922c345d3d1fe89bb2020111873a3e07ca93ac. The bugfix is ready for download at github.com. It is recommended to apply a patch to fix this issue. A possible mitigation has been published before and not just after the disclosure of the vulnerability.