CVE-2021-39165
published 2021-08-26CVE-2021-39165: Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`…
PriorityP355medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
9.75%
94.9th percentile
Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. The original repository of Cachet is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cachethq | cachet | 0 – 2.3.18 | — |
| chachethq | cachet | < 2.3.18 | 2.3.18 |
| fiveai | cachet | <= 2.3.18 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/api/v1/components?name=1&1%5B0%5D=&1%5B1%5D=a&1%5B2%5D=&1%5B3%5D=or+'a'='a')%20and%20(select%20sleep(6))--↗
sigma↗
matchers: type: dsl, dsl: ['duration>=6', 'status_code == 200', 'contains(content_type, "application/json")', 'contains(body, "pagination") && contains(body, "data")'], condition: and
- →The SQLi is triggered via the `SearchableTrait#scopeSearch()` method in Cachet's components API endpoint. Detect by monitoring for array-style query parameters (e.g., `1[0]=`, `1[1]=`, `1[3]=or+...`) in requests to `/api/v1/components`. ↗
- →The exploit is unauthenticated — no session or credentials are required to trigger the SQLi against the `/api/v1/components` endpoint. Alert on requests to this endpoint containing SQL keywords (e.g., `sleep`, `or 'a'='a'`) in query parameters. ↗
- →Time-based blind SQLi detection: a response duration >= 6 seconds to `/api/v1/components` with a JSON body containing `pagination` and `data` fields is a strong indicator of successful exploitation. ↗
- →Cachet instances can be fingerprinted via favicon hash -1606065523 on Shodan/FOFA, enabling proactive identification of exposed targets. ↗
- →Post-exploitation, attackers may read `/var/www/html/Cachet/bootstrap/cache/config.php` to harvest database credentials and other secrets from the Laravel config cache. ↗
- →After SQLi, attackers may use the exfiltrated Cachet `api_key` to create malicious incident templates via `/api/v1/incidents` to achieve RCE through Laravel's Blade template engine. ↗
- ·The vulnerability affects Cachet <= 2.3.18 (stable) and the 2.4 development branch. The original Cachet repository is no longer actively maintained, so official patches may not be forthcoming from the original vendor. ↗
- ·The Nuclei template uses a 20-second request timeout (`@timeout: 20s`) to accommodate the `sleep(6)` time-based payload; detection tooling must account for this extended response window to avoid false negatives. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Unauthenticated SQL Injection in Cachet
ghsa·2021-08-30
CVE-2021-39165 [HIGH] CWE-287 Unauthenticated SQL Injection in Cachet
Unauthenticated SQL Injection in Cachet
### Impact
In Cachet versions through 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session.
### Patches
The original repository of [https://github.com/CachetHQ/Cachet](https://github.com/CachetHQ/Cachet) is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.
Update to version 2.5 or later in the [https://github.com/fiveai/Cachet fork](https://github.com/fiveai/Cachet) to fix this vulnerability.
OSV
Unauthenticated SQL Injection in Cachet
osv·2021-08-30
CVE-2021-39165 [HIGH] Unauthenticated SQL Injection in Cachet
Unauthenticated SQL Injection in Cachet
### Impact
In Cachet versions through 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session.
### Patches
The original repository of [https://github.com/CachetHQ/Cachet](https://github.com/CachetHQ/Cachet) is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.
Update to version 2.5 or later in the [https://github.com/fiveai/Cachet fork](https://github.com/fiveai/Cachet) to fix this vulnerability.
No detection rules found.
Nuclei
Cachet <=2.3.18 - SQL Injection
nuclei·CVSS 6.5
CVE-2021-39165 [MEDIUM] Cachet <=2.3.18 - SQL Injection
Cachet is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.
Template:
id: CVE-2021-39165
info:
name: Cachet is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
remediation: |
Upgrade Cachet to a version higher than 2.3.18 or apply the necessary patches provided by the vendor.
reference:
- https://www.leavesongs.com/PENETRATION/cachet-from-laravel-sqli-to-bug-bounty.html
- https://github.com/fiveai/Cachet/commit/27bca8280419966ba80c6fa283d985ddffa84bb6
- https://github.com/W0rty/CVE-2021-39165/blob/main/exploit.py
- https://nvd.nist.
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
CTF
Catch / README
ctf_writeups·CVSS 8.1
[HIGH] Catch / README
# Catch - HackTheBox - Writeup
Linux, 30 Base Points, Medium
## Machine
## TL;DR
To solve this machine, we begin by enumerating open services using ```namp``` – finding ports ```21```, ```22``` and ```80```.
***User***: Found ```status.catch.htb```, ```gitea_token``` and ```lets_chat_token``` on ```catchv1.0.apk```. Using ```lets_chat_token``` token we can use ```lets-chat``` API on port ```5000```, By using ```lets-chat``` API we get the credentials of ```john``` user, Using john credentials we connect to ```Cachet``` on port ```8000```, Using ```CVE-2021-39165``` we get SQLi and fetch the ```api_key``` of ```john``` user to ```Cachet```, Using the ```api_key``` we create an incident template and we get an RCE and found the password of ```will``` user on ```/var/www/html/Cachet/boo
https://github.com/fiveai/Cachet/commit/27bca8280419966ba80c6fa283d985ddffa84bb6https://github.com/fiveai/Cachet/security/advisories/GHSA-79mg-4w23-4fqchttps://github.com/fiveai/Cachet/commit/27bca8280419966ba80c6fa283d985ddffa84bb6https://github.com/fiveai/Cachet/security/advisories/GHSA-79mg-4w23-4fqc
2021-08-26
Published