CVE-2021-39165: Cachet Status Page SQLi Vulnerability

CVE-2021-39165 Overview

CVE-2021-39165 is a SQL Injection vulnerability affecting Cachet, an open source status page application. The vulnerability exists in the SearchableTrait#scopeSearch() function, allowing attackers without authentication to exploit this flaw and exfiltrate sensitive data from the database, including administrator passwords and session information. This vulnerability affects Cachet versions up to and including 2.3.18, as well as the developing 2.4 branch.

Critical Impact
Unauthenticated attackers can extract sensitive database contents including administrator credentials and session data, potentially leading to full system compromise.

Affected Products

Cachet versions up to and including 2.3.18
Cachet 2.4 development branch
All CachetHQ Cachet deployments using the vulnerable SearchableTrait

Discovery Timeline

2021-08-26 - CVE-2021-39165 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-39165

Vulnerability Analysis

This SQL Injection vulnerability (CWE-89) resides in the SearchableTrait#scopeSearch() method within the Cachet application. The vulnerability allows unauthenticated remote attackers to inject arbitrary SQL commands through network-accessible endpoints. When exploited, attackers can bypass normal application logic and directly interact with the underlying database, enabling the extraction of highly sensitive information such as administrator passwords and active session tokens.

The flaw exists because the application fails to properly validate and sanitize search parameters before incorporating them into database queries. While the original code checked if search keys intersected with allowed searchable columns, it did not properly filter out malicious keys from the search array before passing it to the database query builder.

Root Cause

The root cause of CVE-2021-39165 lies in improper input validation within the scopeSearch() method. The vulnerable code used array_intersect() to check if any search keys matched the allowed searchable columns, but still passed the entire unfiltered $search array to the $query->where() method. This allowed attackers to include additional malicious parameters that would be directly incorporated into the SQL query, bypassing the intended column restrictions.

Attack Vector

The attack vector is network-based, requiring no authentication or user interaction. An attacker can craft malicious HTTP requests containing specially crafted search parameters that exploit the improper input validation. These parameters are processed by the scopeSearch() method and injected directly into SQL queries, allowing the attacker to:

Extract administrator credentials from the users table
Retrieve active session tokens for session hijacking
Access any other sensitive data stored in the database
Potentially modify or delete database records depending on database permissions

php

// Security patch in app/Models/Traits/SearchableTrait.php
// Ensure only allowed searchable columns are used in DB Query
             return $query;
         }
 
-        if (!array_intersect(array_keys($search), $this->searchable)) {
+        $allowed_search = array_intersect_key($search, array_flip($this->searchable));
+        if (! $allowed_search) {
             return $query;
         }
 
-        return $query->where($search);
+        return $query->where($allowed_search);
     }
 }

Source: GitHub Commit Details

Detection Methods for CVE-2021-39165

Indicators of Compromise

Unusual search queries containing SQL metacharacters (single quotes, semicolons, UNION statements) in application logs
Database query logs showing unexpected queries targeting the users table or session storage
Anomalous data extraction patterns in network traffic from the Cachet application
Failed or successful authentication attempts using credentials not entered through normal login flows

Detection Strategies

Monitor web application logs for search requests containing SQL injection patterns such as ' OR 1=1, UNION SELECT, or time-based blind injection attempts
Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting search functionality
Review database audit logs for queries that access sensitive tables outside of normal application behavior
Deploy intrusion detection signatures for common SQL injection attack patterns

Monitoring Recommendations

Enable verbose logging on the Cachet application to capture all search query parameters
Configure database query logging to identify suspicious or malformed SQL statements
Set up alerts for multiple failed database queries that may indicate SQL injection probing
Monitor for large data transfers from the database server that could indicate data exfiltration

How to Mitigate CVE-2021-39165

Immediate Actions Required

Upgrade to a patched version of Cachet that includes the fix from commit 27bca8280419966ba80c6fa283d985ddffa84bb6
If running the original CachetHQ repository, migrate to the fiveai/Cachet fork which contains the security patch
Review database access logs for any signs of prior exploitation
Rotate all administrator passwords and invalidate existing sessions as a precautionary measure

Patch Information

The vulnerability has been addressed in the fiveai/Cachet fork. The patch modifies the SearchableTrait.php file to properly filter search parameters using array_intersect_key() with the allowed searchable columns before passing them to the database query. This ensures that only whitelisted column names can be included in the WHERE clause, preventing SQL injection through unauthorized parameters.

The fix can be found at the GitHub Commit Details. For additional security context, refer to the GitHub Security Advisory GHSA-79mg-4w23-4fqc.

Note: The original CachetHQ/Cachet repository is no longer actively maintained, so users should consider migrating to an actively maintained fork.

Workarounds

Implement a Web Application Firewall (WAF) with SQL injection detection rules as a temporary protective measure
Restrict network access to the Cachet application to trusted IP ranges if public access is not required
Add input validation at the reverse proxy or load balancer level to filter suspicious search parameters
Consider temporarily disabling search functionality if immediate patching is not possible

bash

# Configuration example - WAF rule for SQL injection detection (ModSecurity)
# Add to your ModSecurity configuration to help detect SQL injection attempts
SecRule ARGS "@detectSQLi" \
    "id:1001,\
    phase:2,\
    block,\
    msg:'SQL Injection Attack Detected in Cachet Search',\
    log,\
    tag:'CVE-2021-39165'"

CVE-2021-39165 Overview

Critical Impact
Unauthenticated attackers can extract sensitive database contents including administrator credentials and session data, potentially leading to full system compromise.

Affected Products

Cachet versions up to and including 2.3.18
Cachet 2.4 development branch
All CachetHQ Cachet deployments using the vulnerable SearchableTrait

Discovery Timeline

2021-08-26 - CVE-2021-39165 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-39165

Vulnerability Analysis

Root Cause

Attack Vector

Extract administrator credentials from the users table
Retrieve active session tokens for session hijacking
Access any other sensitive data stored in the database
Potentially modify or delete database records depending on database permissions

php

// Security patch in app/Models/Traits/SearchableTrait.php
// Ensure only allowed searchable columns are used in DB Query
             return $query;
         }
 
-        if (!array_intersect(array_keys($search), $this->searchable)) {
+        $allowed_search = array_intersect_key($search, array_flip($this->searchable));
+        if (! $allowed_search) {
             return $query;
         }
 
-        return $query->where($search);
+        return $query->where($allowed_search);
     }
 }

Source: GitHub Commit Details

Detection Methods for CVE-2021-39165

Indicators of Compromise

Unusual search queries containing SQL metacharacters (single quotes, semicolons, UNION statements) in application logs
Database query logs showing unexpected queries targeting the users table or session storage
Anomalous data extraction patterns in network traffic from the Cachet application
Failed or successful authentication attempts using credentials not entered through normal login flows

Detection Strategies

Monitor web application logs for search requests containing SQL injection patterns such as ' OR 1=1, UNION SELECT, or time-based blind injection attempts
Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting search functionality
Review database audit logs for queries that access sensitive tables outside of normal application behavior
Deploy intrusion detection signatures for common SQL injection attack patterns

Monitoring Recommendations

Enable verbose logging on the Cachet application to capture all search query parameters
Configure database query logging to identify suspicious or malformed SQL statements
Set up alerts for multiple failed database queries that may indicate SQL injection probing
Monitor for large data transfers from the database server that could indicate data exfiltration

How to Mitigate CVE-2021-39165

Immediate Actions Required

Upgrade to a patched version of Cachet that includes the fix from commit 27bca8280419966ba80c6fa283d985ddffa84bb6
If running the original CachetHQ repository, migrate to the fiveai/Cachet fork which contains the security patch
Review database access logs for any signs of prior exploitation
Rotate all administrator passwords and invalidate existing sessions as a precautionary measure

Patch Information

The fix can be found at the GitHub Commit Details. For additional security context, refer to the GitHub Security Advisory GHSA-79mg-4w23-4fqc.

Note: The original CachetHQ/Cachet repository is no longer actively maintained, so users should consider migrating to an actively maintained fork.

Workarounds

Implement a Web Application Firewall (WAF) with SQL injection detection rules as a temporary protective measure
Restrict network access to the Cachet application to trusted IP ranges if public access is not required
Add input validation at the reverse proxy or load balancer level to filter suspicious search parameters
Consider temporarily disabling search functionality if immediate patching is not possible

bash

# Configuration example - WAF rule for SQL injection detection (ModSecurity)
# Add to your ModSecurity configuration to help detect SQL injection attempts
SecRule ARGS "@detectSQLi" \
    "id:1001,\
    phase:2,\
    block,\
    msg:'SQL Injection Attack Detected in Cachet Search',\
    log,\
    tag:'CVE-2021-39165'"

CVE-2021-39165: Cachet Status Page SQLi Vulnerability

CVE-2021-39165 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-39165

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-39165

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-39165

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2021-39165: Cachet Status Page SQLi Vulnerability

CVE-2021-39165 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-39165

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-39165

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-39165

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform