CVE-2024-32480
published 2024-04-22CVE-2024-32480: LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Versions prior to 24.4.0 are vulnerable to SQL injection. The `order` parameter is…
PriorityP358high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
20.28%
97.1th percentile
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Versions prior to 24.4.0 are vulnerable to SQL injection. The `order` parameter is obtained from `$request`. After performing a string check, the value is directly incorporated into an SQL statement and concatenated, resulting in a SQL injection vulnerability. An attacker may extract a whole database this way. Version 24.4.0 fixes the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| librenms | librenms | < 24.4.0 | 24.4.0 |
| librenms | librenms | >= 0 < 24.4.0 | 24.4.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
LibreNMS vulnerable to a Time-Based Blind SQL injection leads to database extraction
osv·2024-04-22
CVE-2024-32480 [HIGH] LibreNMS vulnerable to a Time-Based Blind SQL injection leads to database extraction
LibreNMS vulnerable to a Time-Based Blind SQL injection leads to database extraction
### Summary
Get a valid API token, make sure you can access api functions, then replace string on my PoC code, Test on offical OVA image, it's a old version 23.9.1, but this vulerable is also exists on latest version 24.2.0
### Details
in file `api_functions.php`, line 307 for function list_devices
```php
$order = $request->get('order');
$type = $request->get('type');
$query = $request->get('query');
$param = [];
if (empty($order)) {
$order = 'hostname';
}
if (stristr($order, ' desc') === false && stristr($order, ' asc') === false) {
$order = 'd.`' . $order . '` ASC';
}
/* ... */
$devices = [];
$dev_query = "SELECT $select FROM `devices` AS d $join WHERE $sql GROUP BY d.`hostname` ORDER BY $order";
fo
GHSA
LibreNMS vulnerable to a Time-Based Blind SQL injection leads to database extraction
ghsa·2024-04-22
CVE-2024-32480 [HIGH] CWE-89 LibreNMS vulnerable to a Time-Based Blind SQL injection leads to database extraction
LibreNMS vulnerable to a Time-Based Blind SQL injection leads to database extraction
### Summary
Get a valid API token, make sure you can access api functions, then replace string on my PoC code, Test on offical OVA image, it's a old version 23.9.1, but this vulerable is also exists on latest version 24.2.0
### Details
in file `api_functions.php`, line 307 for function list_devices
```php
$order = $request->get('order');
$type = $request->get('type');
$query = $request->get('query');
$param = [];
if (empty($order)) {
$order = 'hostname';
}
if (stristr($order, ' desc') === false && stristr($order, ' asc') === false) {
$order = 'd.`' . $order . '` ASC';
}
/* ... */
$devices = [];
$dev_query = "SELECT $select FROM `devices` AS d $join WHERE $sql GROUP BY d.`hostname` ORDER BY $order";
fo
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/librenms/librenms/commit/83fe4b10c440d69a47fe2f8616e290ba2bd3a27chttps://github.com/librenms/librenms/security/advisories/GHSA-jh57-j3vq-h438https://github.com/librenms/librenms/commit/83fe4b10c440d69a47fe2f8616e290ba2bd3a27chttps://github.com/librenms/librenms/security/advisories/GHSA-jh57-j3vq-h438
2024-04-22
Published