CVE-2023-1545: Teampass SQL Injection Vulnerability

CVE-2023-1545 Overview

CVE-2023-1545 is a SQL Injection vulnerability affecting Teampass, an open-source collaborative password manager. The vulnerability exists in versions prior to 3.0.0.23 and allows unauthenticated attackers to execute arbitrary SQL queries against the underlying database through the API authentication mechanism.

Critical Impact
This SQL Injection vulnerability enables unauthenticated remote attackers to extract sensitive data from the Teampass database, including stored credentials, encryption keys, and user information. Given that Teampass is a password management solution, successful exploitation could lead to widespread credential theft and organizational compromise.

Affected Products

Teampass versions prior to 3.0.0.23
All Teampass installations using the vulnerable AuthModel.php API endpoint
Self-hosted Teampass deployments with network-accessible API interfaces

Discovery Timeline

2023-03-21 - CVE-2023-1545 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-1545

Vulnerability Analysis

The vulnerability resides in the getUserAuth function within the api/Model/AuthModel.php file. This function handles user authentication through the Teampass API and constructs SQL queries using unsanitized user input. When processing login requests, the function directly concatenates the $login parameter into a SQL SELECT statement without proper input validation or parameterized queries.

The vulnerable code path is accessible via the network without requiring prior authentication, making it particularly dangerous for internet-facing Teampass installations. An attacker can leverage this SQL Injection to bypass authentication entirely, extract sensitive password vault contents, and potentially modify or delete stored credentials.

Root Cause

The root cause is a classic SQL Injection vulnerability (CWE-89) where user-controlled input is directly concatenated into SQL queries. The vulnerable implementation constructed queries using string concatenation with the $login variable: WHERE login='".$login."'". This pattern allows attackers to break out of the intended query context and inject malicious SQL commands.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker can send crafted HTTP requests to the Teampass API endpoint with malicious payloads in the login parameter. The injection point allows for various SQL attack techniques including:

UNION-based injection to extract data from other database tables
Boolean-based blind injection to enumerate database contents
Time-based blind injection for data extraction when direct output is not available

php

// Vulnerable code (before patch) - Source: https://github.com/nilsteampassnet/teampass/commit/4780252fdb600ef2ec2758f17a37d738570cbe66
// The login parameter is directly concatenated into the SQL query
$userInfoRes = $this->select("SELECT id, pw, public_key, private_key, personal_folder, fonction_id, groupes_visibles, groupes_interdits, user_api_key FROM " . prefixTable('users') . " WHERE login='".$login."'");

// Fixed code (after patch) - implements input sanitization
$inputData = dataSanitizer(
    [
        'login' => isset($login) === true ? $login : '',
        'password' => isset($password) === true ? $password : '',
        'apikey' => isset($apikey) === true ? $apikey : '',
    ],
    [
        'login' => 'trim|escape',
        'password' => 'trim|escape',
        'apikey' => 'trim|escape',
    ],
    API_ROOT_PATH . '/..'
);

Source: GitHub Teampass Commit

Detection Methods for CVE-2023-1545

Indicators of Compromise

Unusual API requests to authentication endpoints containing SQL metacharacters such as single quotes, UNION statements, or comment sequences
Database query logs showing malformed or unexpected SQL syntax in authentication-related queries
Failed authentication attempts with abnormally long or structured login values
Access logs showing repeated requests to /api/ endpoints with varying payloads

Detection Strategies

Deploy Web Application Firewall (WAF) rules to detect SQL Injection patterns in HTTP request parameters targeting Teampass API endpoints
Monitor database query logs for anomalous patterns including UNION SELECT, OR 1=1, time-based delays, and comment injection attempts
Implement intrusion detection signatures for known SQL Injection attack payloads targeting the login parameter
Enable detailed logging on the Teampass application to capture and analyze authentication-related API requests

Monitoring Recommendations

Configure real-time alerting for authentication failures with suspicious payload characteristics
Establish baseline metrics for normal API authentication traffic patterns and alert on deviations
Monitor database performance metrics for unusual query execution times that may indicate time-based blind SQL Injection attempts
Review access logs regularly for reconnaissance activity targeting API endpoints

How to Mitigate CVE-2023-1545

Immediate Actions Required

Upgrade Teampass to version 3.0.0.23 or later immediately to receive the security patch
If immediate patching is not possible, restrict network access to the Teampass API endpoints using firewall rules
Audit database access logs for any historical evidence of SQL Injection exploitation
Review and rotate all credentials stored in Teampass if compromise is suspected

Patch Information

The vulnerability has been addressed in Teampass version 3.0.0.23 through the implementation of proper input sanitization. The patch introduces the dataSanitizer function to sanitize the login, password, and apikey parameters before they are used in database queries. The fix applies trim and escape operations to all input data, preventing SQL metacharacters from being interpreted as part of the query syntax.

For detailed patch information, refer to the GitHub Teampass Commit and the Huntr Bounty Report.

Workarounds

Implement network-level access controls to restrict API access to trusted IP addresses only
Deploy a Web Application Firewall (WAF) with SQL Injection detection rules in front of Teampass
Disable or restrict API functionality if not required for your deployment
Use database-level auditing to monitor and log all queries executed against the Teampass database

bash

# Example: Restrict Teampass API access via nginx configuration
location /api/ {
    # Allow only trusted internal networks
    allow 10.0.0.0/8;
    allow 192.168.0.0/16;
    deny all;
    
    # Pass to PHP handler
    try_files $uri $uri/ /api/index.php?$query_string;
}

CVE-2023-1545 Overview

Critical Impact
This SQL Injection vulnerability enables unauthenticated remote attackers to extract sensitive data from the Teampass database, including stored credentials, encryption keys, and user information. Given that Teampass is a password management solution, successful exploitation could lead to widespread credential theft and organizational compromise.

Affected Products

Teampass versions prior to 3.0.0.23
All Teampass installations using the vulnerable AuthModel.php API endpoint
Self-hosted Teampass deployments with network-accessible API interfaces

Discovery Timeline

2023-03-21 - CVE-2023-1545 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-1545

Vulnerability Analysis

Root Cause

Attack Vector

UNION-based injection to extract data from other database tables
Boolean-based blind injection to enumerate database contents
Time-based blind injection for data extraction when direct output is not available

php

// Vulnerable code (before patch) - Source: https://github.com/nilsteampassnet/teampass/commit/4780252fdb600ef2ec2758f17a37d738570cbe66
// The login parameter is directly concatenated into the SQL query
$userInfoRes = $this->select("SELECT id, pw, public_key, private_key, personal_folder, fonction_id, groupes_visibles, groupes_interdits, user_api_key FROM " . prefixTable('users') . " WHERE login='".$login."'");

// Fixed code (after patch) - implements input sanitization
$inputData = dataSanitizer(
    [
        'login' => isset($login) === true ? $login : '',
        'password' => isset($password) === true ? $password : '',
        'apikey' => isset($apikey) === true ? $apikey : '',
    ],
    [
        'login' => 'trim|escape',
        'password' => 'trim|escape',
        'apikey' => 'trim|escape',
    ],
    API_ROOT_PATH . '/..'
);

Source: GitHub Teampass Commit

Detection Methods for CVE-2023-1545

Indicators of Compromise

Unusual API requests to authentication endpoints containing SQL metacharacters such as single quotes, UNION statements, or comment sequences
Database query logs showing malformed or unexpected SQL syntax in authentication-related queries
Failed authentication attempts with abnormally long or structured login values
Access logs showing repeated requests to /api/ endpoints with varying payloads

Detection Strategies

Deploy Web Application Firewall (WAF) rules to detect SQL Injection patterns in HTTP request parameters targeting Teampass API endpoints
Monitor database query logs for anomalous patterns including UNION SELECT, OR 1=1, time-based delays, and comment injection attempts
Implement intrusion detection signatures for known SQL Injection attack payloads targeting the login parameter
Enable detailed logging on the Teampass application to capture and analyze authentication-related API requests

Monitoring Recommendations

Configure real-time alerting for authentication failures with suspicious payload characteristics
Establish baseline metrics for normal API authentication traffic patterns and alert on deviations
Monitor database performance metrics for unusual query execution times that may indicate time-based blind SQL Injection attempts
Review access logs regularly for reconnaissance activity targeting API endpoints

How to Mitigate CVE-2023-1545

Immediate Actions Required

Upgrade Teampass to version 3.0.0.23 or later immediately to receive the security patch
If immediate patching is not possible, restrict network access to the Teampass API endpoints using firewall rules
Audit database access logs for any historical evidence of SQL Injection exploitation
Review and rotate all credentials stored in Teampass if compromise is suspected

Patch Information

For detailed patch information, refer to the GitHub Teampass Commit and the Huntr Bounty Report.

Workarounds

Implement network-level access controls to restrict API access to trusted IP addresses only
Deploy a Web Application Firewall (WAF) with SQL Injection detection rules in front of Teampass
Disable or restrict API functionality if not required for your deployment
Use database-level auditing to monitor and log all queries executed against the Teampass database

bash

# Example: Restrict Teampass API access via nginx configuration
location /api/ {
    # Allow only trusted internal networks
    allow 10.0.0.0/8;
    allow 192.168.0.0/16;
    deny all;
    
    # Pass to PHP handler
    try_files $uri $uri/ /api/index.php?$query_string;
}

CVE-2023-1545: Teampass SQL Injection Vulnerability

CVE-2023-1545 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-1545

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-1545

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-1545

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2023-1545: Teampass SQL Injection Vulnerability

CVE-2023-1545 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-1545

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-1545

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-1545

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform