CVE-2019-25581 in doit CMDB
Summary
by MITRE • 03/21/2026
i-doit CMDB 1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the objGroupID parameter. Attackers can send GET requests with crafted SQL payloads in the objGroupID parameter to extract sensitive database information including usernames, database names, and version details.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability identified as CVE-2019-25581 affects i-doit CMDB version 1.12 and represents a critical SQL injection flaw that undermines the integrity and confidentiality of the affected system. This vulnerability resides within the application's handling of the objGroupID parameter, which is processed through GET requests without proper input validation or sanitization. The flaw allows unauthenticated attackers to inject malicious SQL code directly into the application's query execution path, bypassing normal authentication mechanisms and potentially gaining unauthorized access to sensitive database resources.
The technical exploitation of this vulnerability follows a classic SQL injection attack pattern where the objGroupID parameter serves as the primary attack vector. When an attacker submits a GET request containing crafted SQL payloads in the objGroupID field, the application fails to properly escape or validate the input before incorporating it into database queries. This allows attackers to manipulate the intended query execution flow and inject their own SQL commands that execute with the privileges of the database user account under which the application operates. The vulnerability specifically targets the application's object group ID handling mechanism, making it particularly dangerous for configuration management databases that store sensitive infrastructure information.
The operational impact of this vulnerability extends beyond simple data extraction to encompass potential full database compromise and unauthorized access to critical system information. Attackers can leverage this vulnerability to extract usernames, database names, and version details, which provides them with valuable reconnaissance information for further attacks. The unauthenticated nature of the exploit means that any external party can potentially access the database without requiring valid credentials, significantly increasing the attack surface and reducing the effectiveness of traditional authentication controls. This vulnerability directly impacts the confidentiality and integrity of the CMDB data, as attackers can not only read sensitive information but also potentially modify or delete database records.
Security professionals should consider this vulnerability in the context of CWE-89, which classifies SQL injection as a fundamental weakness in software applications. The attack pattern aligns with techniques described in the ATT&CK framework under the T1190 tactic for exploitation of vulnerabilities, specifically targeting database systems and information disclosure. Organizations should implement immediate mitigations including input validation and parameterized queries to prevent SQL injection attacks, while also conducting comprehensive security assessments of their database systems. The vulnerability demonstrates the critical importance of proper input sanitization and the need for robust application security practices in configuration management systems that handle sensitive infrastructure data.