cbcvebase.
CVE-2021-39165
published 2021-08-26

CVE-2021-39165: Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`…

PriorityP355medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
9.75%
94.9th percentile
Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. The original repository of Cachet is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.

Affected

3 ranges
VendorProductVersion rangeFixed in
cachethqcachet0 – 2.3.18
chachethqcachet< 2.3.182.3.18
fiveaicachet<= 2.3.18

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/components?name=1&1%5B0%5D=&1%5B1%5D=a&1%5B2%5D=&1%5B3%5D=or+'a'='a')%20and%20(select%20sleep(6))--
path/api/v1/components
path/var/www/html/Cachet/bootstrap/cache/config.php
othershodan:http.favicon.hash:-1606065523
otherfofa:icon_hash=-1606065523
commandGET /api/v1/components?name=1&1[0]=&1[1]=a&1[2]=&1[3]=or+'a'='a') and (select sleep(6))--
sigma
matchers: type: dsl, dsl: ['duration>=6', 'status_code == 200', 'contains(content_type, "application/json")', 'contains(body, "pagination") && contains(body, "data")'], condition: and
  • The SQLi is triggered via the `SearchableTrait#scopeSearch()` method in Cachet's components API endpoint. Detect by monitoring for array-style query parameters (e.g., `1[0]=`, `1[1]=`, `1[3]=or+...`) in requests to `/api/v1/components`.
  • The exploit is unauthenticated — no session or credentials are required to trigger the SQLi against the `/api/v1/components` endpoint. Alert on requests to this endpoint containing SQL keywords (e.g., `sleep`, `or 'a'='a'`) in query parameters.
  • Time-based blind SQLi detection: a response duration >= 6 seconds to `/api/v1/components` with a JSON body containing `pagination` and `data` fields is a strong indicator of successful exploitation.
  • Cachet instances can be fingerprinted via favicon hash -1606065523 on Shodan/FOFA, enabling proactive identification of exposed targets.
  • Post-exploitation, attackers may read `/var/www/html/Cachet/bootstrap/cache/config.php` to harvest database credentials and other secrets from the Laravel config cache.
  • After SQLi, attackers may use the exfiltrated Cachet `api_key` to create malicious incident templates via `/api/v1/incidents` to achieve RCE through Laravel's Blade template engine.
  • ·The vulnerability affects Cachet <= 2.3.18 (stable) and the 2.4 development branch. The original Cachet repository is no longer actively maintained, so official patches may not be forthcoming from the original vendor.
  • ·The Nuclei template uses a 20-second request timeout (`@timeout: 20s`) to accommodate the `sleep(6)` time-based payload; detection tooling must account for this extended response window to avoid false negatives.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.