CVE-2024-32461: LibreNMS vulnerable to time-based SQL injection that leads to database extraction
First published: Mon Apr 22 2024(Updated: )
### Summary SQL injection vulnerability in POST /search/search=packages in LibreNMS 24.3.0 allows a user with global read privileges to execute SQL commands via the package parameter. ### Details There is a lack of hygiene of data coming from the user in line 83 of the file librenms/includes/html/pages/search/packages.inc.php  ### PoC https://doc.clickup.com/9013166444/p/h/8ckm0bc-53/16811991bb5fff6 ### Impact With this vulnerability, we can exploit a SQL injection time based vulnerability to extract all data from the database, such as administrator credentials
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/librenms/librenms | <24.4.0 | 24.4.0 |
| LibreNMS | <24.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/librenms/librenms/security/advisories/GHSA-cwx6-cx7x-4q34
- https://github.com/librenms/librenms/commit/d29201fce134347f891102699fbde7070debee33
- https://doc.clickup.com/9013166444/p/h/8ckm0bc-53/16811991bb5fff6
- https://nvd.nist.gov/vuln/detail/CVE-2024-32461
- https://github.com/advisories/GHSA-cwx6-cx7x-4q34 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-32461?
CVE-2024-32461 has been classified as a high severity vulnerability due to its potential impact on database security.
How do I fix CVE-2024-32461?
To fix CVE-2024-32461, upgrade LibreNMS to version 24.4.0 or later.
Who is affected by CVE-2024-32461?
Any user of LibreNMS version 24.3.0 with global read privileges is affected by CVE-2024-32461.
What type of vulnerability is CVE-2024-32461?
CVE-2024-32461 is an SQL injection vulnerability that allows execution of arbitrary SQL commands.
What are the consequences of exploiting CVE-2024-32461?
Exploiting CVE-2024-32461 could allow an attacker to manipulate the database, potentially leading to data breaches.
- agent/weakness
- agent/first-publish-date
- agent/title
- agent/description
- agent/type
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-cwx6-cx7x-4q34
- alias/CVE-2024-32461
- agent/software-canonical-lookup
- agent/references
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/trending
- agent/remedy
- agent/last-modified-date
- agent/severity
- agent/softwarecombine
- agent/source
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- package-manager/composer
- vendor/librenms
- canonical/librenms