Platform
php
Component
sentrifugo
Fixed in
3.2.1
CVE-2024-29873 describes a critical SQL injection vulnerability discovered in Sentrifugo versions 3.2. This flaw allows a remote attacker to inject malicious SQL queries, potentially leading to complete data exfiltration from the system. The vulnerability resides within the /sentrifugo/index.php/reports/businessunits/format/html endpoint, specifically the 'bunitname' parameter. Affected users should immediately upgrade to version 3.2.1 to mitigate this risk.
The impact of this SQL injection vulnerability is severe. A successful exploit allows an attacker to bypass authentication and authorization controls, directly querying the underlying database. This could result in the complete compromise of sensitive data, including user credentials, financial information, and business-critical reports. The attacker could potentially modify or delete data, leading to data integrity issues and operational disruption. Given the ease of SQL injection exploitation, this vulnerability presents a significant risk, especially if the database contains sensitive information or is exposed to the internet. While no direct precedent is immediately obvious, the potential for widespread data compromise mirrors the impact of other high-profile SQL injection attacks.
CVE-2024-29873 was publicly disclosed on March 21, 2024. The vulnerability's severity (CVSS 9.8) indicates a high probability of exploitation. As of this writing, no public proof-of-concept (PoC) code has been released, but the ease of SQL injection exploitation suggests that a PoC is likely to emerge. It is not currently listed on CISA KEV, but its criticality warrants close monitoring. Active campaigns targeting Sentrifugo are not currently confirmed, but the vulnerability's ease of exploitation makes it an attractive target.
Exploit Status
EPSS
0.78% (74% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-29873 is to immediately upgrade Sentrifugo to version 3.2.1 or later. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider implementing temporary workarounds. Input validation and sanitization on the 'bunitname' parameter are crucial. Web application firewalls (WAFs) configured to detect and block SQL injection attempts can provide an additional layer of defense. Monitor database logs for suspicious SQL queries that might indicate an attempted exploitation. Restrict database user permissions to the minimum necessary for Sentrifugo’s operation. After upgrading, confirm the vulnerability is resolved by attempting a SQL injection payload on the affected endpoint and verifying that it is properly sanitized.
Update Sentrifugo to a version later than 3.2 that fixes the (SQL Injection) vulnerability. If no version is available, consider applying a security patch or disabling the affected functionality until a solution is published.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-29873 is a critical SQL injection vulnerability in Sentrifugo version 3.2, allowing attackers to extract data via crafted queries. It affects the 'bunitname' parameter in the reports endpoint.
Yes, if you are running Sentrifugo version 3.2, you are affected by this vulnerability. Upgrade to version 3.2.1 or later to mitigate the risk.
The recommended fix is to upgrade to Sentrifugo version 3.2.1 or later. Temporary workarounds include input validation and WAF rules.
While no active campaigns are confirmed, the ease of exploitation suggests a high likelihood of exploitation. Monitor your systems closely.
Refer to the Sentrifugo project's official website or security advisories for the latest information and updates regarding CVE-2024-29873.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.