CVE-2022-45165 in Web Centralinfo

Summary

by MITRE • 01/11/2023

An issue was discovered in Archibus Web Central 2022.03.01.107. A service exposed by the application accepts a user-controlled parameter that is used to create an SQL query. It causes this service to be prone to SQL injection.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/09/2025

The vulnerability identified as CVE-2022-45165 affects Archibus Web Central version 2022.03.01.107, representing a critical security flaw that exposes the application to unauthorized data access and potential system compromise. This issue manifests through a service component that processes user input without adequate sanitization or validation, creating an exploitable pathway for malicious actors to manipulate the underlying database operations. The affected service accepts parameters from user-controlled inputs and incorporates these directly into SQL query construction, establishing a clear vector for SQL injection attacks that can be leveraged to extract, modify, or delete sensitive information from the database backend.

The technical implementation of this vulnerability stems from improper input validation and parameter handling within the application's database interaction layer. When user-supplied parameters are directly concatenated into SQL statements without proper escaping or parameterization, the application becomes susceptible to malicious input that can alter the intended query execution flow. This pattern aligns with CWE-89, which categorizes SQL injection vulnerabilities as a result of insufficient input sanitization in database query construction. The flaw represents a classic example of insecure parameter handling where user-controllable data flows directly into executable SQL commands, bypassing normal security controls and validation mechanisms.

The operational impact of this vulnerability extends beyond simple data theft, potentially enabling attackers to gain unauthorized access to sensitive organizational information stored within the Archibus system. Given that Archibus Web Central is typically used for facility management and building automation, the compromised data may include critical infrastructure information, access control records, maintenance schedules, and other sensitive operational data. Attackers could exploit this vulnerability to escalate privileges, modify database records, or even execute arbitrary commands on the underlying database server, depending on the database system's configuration and the application's privilege model. This represents a significant risk to both data confidentiality and system integrity, potentially affecting business continuity and regulatory compliance.

Mitigation strategies for CVE-2022-45165 should prioritize immediate implementation of parameterized queries and input validation controls to prevent user-supplied data from being directly incorporated into SQL statements. Organizations should implement proper input sanitization techniques, including the use of prepared statements and parameterized queries to ensure that user input is treated as data rather than executable code. Additionally, the application should be updated to the latest version of Archibus Web Central where this vulnerability has been addressed through proper input validation and sanitization measures. Network segmentation and access controls should be implemented to limit exposure of the vulnerable service, while comprehensive monitoring and logging should be enabled to detect potential exploitation attempts. Security teams should also conduct thorough code reviews and penetration testing to identify similar vulnerabilities within the application's codebase and ensure adherence to secure coding practices aligned with industry standards such as OWASP Top Ten and NIST cybersecurity frameworks.

Responsible

MITRE

Reservation

11/11/2022

Disclosure

01/11/2023

Moderation

accepted

CPE

ready

EPSS

0.00644

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!