CVE-2023-33366 in BioStar 2
Summary
by MITRE • 08/03/2023
A SQL injection vulnerability exists in Suprema BioStar 2 before 2.9.1, which allows authenticated users to inject arbitrary SQL directives into an SQL statement and execute arbitrary SQL commands.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/04/2026
The vulnerability identified as CVE-2023-33366 represents a critical SQL injection flaw within Suprema BioStar 2 software versions prior to 2.9.1. This authentication-based vulnerability enables malicious actors who have already gained access to the system to escalate their privileges and execute unauthorized database operations. The flaw resides in the application's handling of user input within SQL query construction processes, creating an avenue for attackers to manipulate database interactions through crafted input parameters.
This vulnerability falls under the CWE-89 category of SQL Injection, which is classified as a common weakness in web applications and database systems. The flaw operates by allowing authenticated users to inject malicious SQL commands through input fields that are not properly sanitized or validated before being incorporated into database queries. The attack vector specifically targets the application's user management and authentication modules where database interactions occur. According to ATT&CK framework, this vulnerability maps to T1078 Valid Accounts and T1046 Network Service Scanning, as attackers can leverage legitimate access to expand their control and extract sensitive information from the database.
The operational impact of this vulnerability extends beyond simple data theft, as it enables attackers to perform destructive operations including data modification, deletion, or unauthorized access to sensitive user information. The affected Suprema BioStar 2 system manages biometric authentication data, access control records, and user credentials, making the potential compromise of database integrity particularly severe. Attackers could manipulate user permissions, gain access to restricted areas, or extract confidential information about system users and their access patterns. The vulnerability is particularly concerning because it requires only authenticated access, meaning that an attacker who has already compromised a user account can leverage this flaw to achieve further system compromise.
Organizations utilizing Suprema BioStar 2 systems should prioritize immediate remediation through the installation of the 2.9.1 update or later versions that address this vulnerability. The mitigation strategy should include comprehensive input validation and parameterized query implementation to prevent future occurrences of similar flaws. Network segmentation and access control measures should be enhanced to limit the potential impact of compromised accounts. Additionally, regular security assessments and penetration testing should be conducted to identify and remediate similar vulnerabilities in other system components. The vulnerability highlights the importance of proper input sanitization and the principle of least privilege in database access controls, which are fundamental security practices that should be implemented across all authentication and authorization systems.