CVE-2022-24407
published 2022-02-24CVE-2022-24407: In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.
PriorityP354high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.12%
89.5th percentile
In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cyrusimap | cyrus-sasl | 2.1.17 – 2.1.27 | — |
| debian | cyrus-sasl2 | < cyrus-sasl2 2.1.28+dfsg-2 (bookworm) | cyrus-sasl2 2.1.28+dfsg-2 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| msrc | cbl2_cyrus-sasl_2.1.28-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_cyrus-sasl_2.1.28-1_on_cbl_mariner_1.0 | — | — |
| oracle | communications_cloud_native_core_console | — | — |
| oracle | communications_cloud_native_core_network_function_cloud_native_environment | — | — |
| oracle | communications_cloud_native_core_security_edge_protection_proxy | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_oracle8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Communications Risk Matrix: Install/Upgrade (Cyrus SASL) — CVE-2022-24407
vendor_oracle·2023-01-15·CVSS 8.8
CVE-2022-24407 [HIGH] Oracle Oracle Communications Risk Matrix: Install/Upgrade (Cyrus SASL) — CVE-2022-24407
Oracle Oracle Communications Risk Matrix: Install/Upgrade (Cyrus SASL) vulnerability
CVE: CVE-2022-24407
CVSS: 8.8
Protocol: HTTP
Remote exploit: No
Affected versions: Network
Advisory: cpujan2023 (JAN 2023)
Oracle
Oracle Oracle Communications Risk Matrix: CNC Console (Cyrus SASL) — CVE-2022-24407
vendor_oracle·2022-07-15·CVSS 8.8
CVE-2022-24407 [HIGH] Oracle Oracle Communications Risk Matrix: CNC Console (Cyrus SASL) — CVE-2022-24407
Oracle Oracle Communications Risk Matrix: CNC Console (Cyrus SASL) vulnerability
CVE: CVE-2022-24407
CVSS: 8.8
Protocol: HTTP
Remote exploit: No
Affected versions: Network
Advisory: cpujul2022 (JUL 2022)
Ubuntu
Cyrus SASL vulnerability
vendor_ubuntu·2022-02-22
CVE-2022-24407 Cyrus SASL vulnerability
Title: Cyrus SASL vulnerability
Summary: Cyrus SASL could run programs if it received specially crafted network
traffic.
It was discovered that the Cyrus SASL SQL plugin incorrectly handled SQL
input. A remote attacker could use this issue to execute arbitrary SQL
commands.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Ubuntu
Cyrus SASL vulnerability
vendor_ubuntu·2022-02-22
CVE-2022-24407 Cyrus SASL vulnerability
Title: Cyrus SASL vulnerability
Summary: Cyrus SASL could run programs if it received specially crafted network
traffic.
USN-5301-1 fixed a vulnerability in Cyrus. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that the Cyrus SASL SQL plugin incorrectly handled SQL
input. A remote attacker could use this issue to execute arbitrary SQL
commands.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Red Hat
cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands
vendor_redhat·2022-02-22·CVSS 8.8
CVE-2022-24407 [HIGH] CWE-89 cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands
cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands
In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.
A flaw was found in the SQL plugin shipped with Cyrus SASL. The vulnerability occurs due to failure to properly escape SQL input and leads to an improper input validation vulnerability. This flaw allows an attacker to execute arbitrary SQL commands and the ability to change the passwords for other accounts allowing escalation of privileges.
Package: cyrus-sasl (Red Hat Enterprise Linux 9) - Not affected
Package: cyrus-sasl (Red Hat JBoss Enterprise Application Platform 6) - Out of support scope
Microsoft
In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28 plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.
vendor_msrc·2022-02-08·CVSS 8.8
CVE-2022-24407 [HIGH] CWE-89 In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28 plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.
In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28 plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre: mitre
Customer Action
Debian
CVE-2022-24407: cyrus-sasl2 - In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape...
vendor_debian·2022·CVSS 8.8
CVE-2022-24407 [HIGH] CVE-2022-24407: cyrus-sasl2 - In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape...
In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.
Scope: local
bookworm: resolved (fixed in 2.1.28+dfsg-2)
bullseye: resolved (fixed in 2.1.27+dfsg-2.1+deb11u1)
forky: resolved (fixed in 2.1.28+dfsg-2)
sid: resolved (fixed in 2.1.28+dfsg-2)
trixie: resolved (fixed in 2.1.28+dfsg-2)
VulDB
Cyrus SASL up to 2.1.27 UPDATE Statement plugins/sql.c Password escape output (EUVD-2022-29299)
vuldb·2026-05-03·CVSS 8.8
CVE-2022-24407 [HIGH] Cyrus SASL up to 2.1.27 UPDATE Statement plugins/sql.c Password escape output (EUVD-2022-29299)
A vulnerability was found in Cyrus SASL up to 2.1.27 and classified as critical. This affects an unknown function of the file plugins/sql.c of the component UPDATE Statement Handler. The manipulation of the argument Password results in escaping of output.
This vulnerability is identified as CVE-2022-24407. The attack can only be performed from the local network. There is not any exploit available.
It is suggested to upgrade the affected component.
VulDB
Oracle Communications Cloud Native Core Network Function Cloud Native Environment CNE sql injection (EUVD-2022-29299)
vuldb·2026-05-03·CVSS 8.8
CVE-2022-24407 [HIGH] Oracle Communications Cloud Native Core Network Function Cloud Native Environment CNE sql injection (EUVD-2022-29299)
A vulnerability marked as critical has been reported in Oracle Communications Cloud Native Core Network Function Cloud Native Environment 22.2.0. This impacts an unknown function of the component CNE. The manipulation leads to sql injection.
This vulnerability is uniquely identified as CVE-2022-24407. The attack is possible to be carried out remotely. No exploit exists.
It is suggested to upgrade the affected component.
VulDB
Oracle Communications Cloud Native Core Console 22.2.0 CNC Console sql injection (EUVD-2022-29299)
vuldb·2026-05-03·CVSS 8.8
CVE-2022-24407 [HIGH] Oracle Communications Cloud Native Core Console 22.2.0 CNC Console sql injection (EUVD-2022-29299)
A vulnerability labeled as critical has been found in Oracle Communications Cloud Native Core Console 22.2.0. This affects an unknown function of the component CNC Console. Executing a manipulation can lead to sql injection.
This vulnerability is handled as CVE-2022-24407. The attack can be executed remotely. There is not any exploit available.
The affected component should be upgraded.
GHSA
GHSA-fvc5-cffp-h22w: In Cyrus SASL 2
ghsa_unreviewed·2022-02-25
CVE-2022-24407 [HIGH] CWE-89 GHSA-fvc5-cffp-h22w: In Cyrus SASL 2
In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.
OSV
CVE-2022-24407: In Cyrus SASL 2
osv·2022-02-24·CVSS 8.8
CVE-2022-24407 [HIGH] CVE-2022-24407: In Cyrus SASL 2
In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2022/02/23/4https://github.com/cyrusimap/cyrus-sasl/blob/fdcd13ceaef8de684dc69008011fa865c5b4a3ac/docsrc/sasl/release-notes/2.1/index.rsthttps://lists.debian.org/debian-lts-announce/2022/03/msg00002.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4FIXU75Q6RBNK6UYM7MQ3TCFGXR7AX4U/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H26R4SMGM3WHXX4XYNNJB4YGFIL5UNF4/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZC6BMPI3V3MC2IGNLN377ETUWO7QBIH/https://security.netapp.com/advisory/ntap-20221007-0003/https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28https://www.debian.org/security/2022/dsa-5087https://www.oracle.com/security-alerts/cpujul2022.htmlhttp://www.openwall.com/lists/oss-security/2022/02/23/4https://github.com/cyrusimap/cyrus-sasl/blob/fdcd13ceaef8de684dc69008011fa865c5b4a3ac/docsrc/sasl/release-notes/2.1/index.rsthttps://lists.debian.org/debian-lts-announce/2022/03/msg00002.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4FIXU75Q6RBNK6UYM7MQ3TCFGXR7AX4U/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H26R4SMGM3WHXX4XYNNJB4YGFIL5UNF4/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZC6BMPI3V3MC2IGNLN377ETUWO7QBIH/https://security.netapp.com/advisory/ntap-20221007-0003/https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28https://www.debian.org/security/2022/dsa-5087https://www.oracle.com/security-alerts/cpujul2022.html
2022-02-24
Published