The vulnerable code is present in the method ‘getConnectionFactory()’ which is responsible for connecting new user to InventoryManagementSystem.

ConnectionFactory class is abstract and extends DatabaseConnection class. Therefore, it provides common methods like ‘getConnection()’, ‘setEncoding()’, etc.

The getConnectionFactory() method receives an attacker-controlled string as an input which is vulnerable to SQL Injection.

An attacker can inject SQL queries that can cause denial of service or can lead to data leakage. It is recommended to upgrade the version to the latest one.

Vendor Response: Oracle

Oracle has released a fix for the vulnerability in its latest version of InventoryManagementSystem.

The vulnerable code is present in the method ‘getConnectionFactory()’ which is responsible for connecting new user to InventoryManagementSystem.

Vendor Information

The vendor information is available on the project’s GitHub.

The vulnerable code is present in the method ‘getConnectionFactory()’ which is responsible for connecting new user to InventoryManagementSystem.

Only the database connection factory can be accessed by getConnectionFactory().

SQL Injection Vulnerability - CVE-2022 -36259

A very important issue faced by the service is SQL injection vulnerability. The vulnerable code is present in the method ‘getConnectionFactory()’ which is responsible for connecting new user to InventoryManagementSystem.

The ConnectionFactory class is abstract and extends DatabaseConnection class. Therefore, it provides common methods like ‘getConnection()’, ‘setEncoding()’, etc.

The getConnectionFactory() method receives an attacker-controlled string as an input which is vulnerable to SQL Injection.
An attacker can inject SQL queries that can cause denial of service or can lead to data leakage. It is recommended to upgrade the version to the latest one.

Timeline

Published on: 09/12/2022 04:15:00 UTC
Last modified on: 09/15/2022 03:51:00 UTC

References