cbcvebase.
CVE-2021-37832
published 2021-08-03

CVE-2021-37832: A SQL injection vulnerability exists in version 3.0.2 of Hotel Druid when SQLite is being used as the application database. A malicious attacker can issue SQL…

PriorityP356critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.10%
89.5th percentile
A SQL injection vulnerability exists in version 3.0.2 of Hotel Druid when SQLite is being used as the application database. A malicious attacker can issue SQL commands to the SQLite database through the vulnerable idappartamenti parameter.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianhoteldruid< hoteldruid 3.0.3-1 (bookworm)hoteldruid 3.0.3-1 (bookworm)
digitaldruidhoteldruid
digitaldruidhoteldruid>= 0 < 3.0.3-13.0.3-1

Detection & IOCsextracted from sources · hover to see the quote

versionHotel Druid 3.0.2
  • Monitor HTTP requests for SQL injection payloads in the 'idappartamenti' parameter of Hotel Druid 3.0.2 when SQLite is the backend database.
  • ·The SQL injection vulnerability is only exploitable when SQLite is configured as the Hotel Druid application database; other database backends may not be affected.
  • ·Debian Bullseye remains unpatched (open); Bookworm and Sid are resolved with version 3.0.3-1.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.