CVE-2023-45826 in Leantime
Summary
by MITRE • 10/25/2023
Leantime is an open source project management system. A 'userId' variable in `app/domain/files/repositories/class.files.php` is not parameterized. An authenticated attacker can send a carefully crafted POST request to `/api/jsonrpc` to exploit an SQL injection vulnerability. Confidentiality is impacted as it allows for dumping information from the database. This issue has been addressed in version 2.4-beta-4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/11/2023
The vulnerability identified as CVE-2023-45826 affects Leantime, an open source project management system that serves as a collaborative platform for teams to manage tasks, projects, and workflows. This security flaw resides within the file handling functionality of the application, specifically in the `app/domain/files/repositories/class.files.php` component where a userId variable is processed without proper parameterization. The vulnerability represents a classic SQL injection weakness that can be exploited by authenticated attackers who possess valid credentials to the system.
The technical exploitation of this vulnerability occurs through a carefully crafted POST request sent to the `/api/jsonrpc` endpoint, which serves as the application's remote procedure call interface. The lack of parameterization in the userId variable means that malicious input can be directly incorporated into SQL queries without proper sanitization or escaping mechanisms. This allows an attacker to manipulate the underlying database queries and extract sensitive information from the system's database. The vulnerability specifically impacts the confidentiality aspect of the system's security posture, enabling unauthorized data access and potential information disclosure.
From an operational perspective, this vulnerability presents significant risk to organizations using Leantime as their project management solution. Since the attack requires only authenticated access, any user with valid credentials can potentially exploit this flaw, making it particularly dangerous in environments where multiple users have access to the system. The impact extends beyond simple data theft as the attacker could potentially extract user credentials, project details, task information, and other sensitive organizational data that might be stored in the database. This type of vulnerability undermines the integrity of the application's access controls and can lead to broader security compromise within the organization's project management infrastructure.
The vulnerability has been addressed in version 2.4-beta-4 of Leantime, which implements proper parameterization of the userId variable to prevent SQL injection attacks. Security practitioners should prioritize upgrading affected systems to this patched version to eliminate the risk of exploitation. The vulnerability aligns with CWE-89, which specifically addresses SQL injection flaws, and represents a clear violation of secure coding practices that should be enforced through proper input validation and parameterized queries. Organizations utilizing Leantime should also consider implementing network-level monitoring to detect suspicious API requests to the jsonrpc endpoint and establish proper access controls to limit the potential impact of authenticated attacks. The absence of known workarounds means that immediate remediation through software updates is essential, as no temporary mitigations can effectively address the root cause of the vulnerability.