CVE-2024-10377 Overview
CVE-2024-10377 is a SQL injection vulnerability in ESAFENET CDG 5, a Chinese document and data security gateway product. The flaw resides in the actionPassDecryptApplication1 function within /com/esafenet/servlet/client/DecryptApplicationService.java. Attackers can manipulate the id parameter to inject arbitrary SQL statements into backend database queries. The vulnerability is remotely exploitable and requires only low-privilege authentication. Public exploit details have been disclosed, increasing the risk of opportunistic exploitation. This issue is distinct from CVE-2024-10069, which affects a different function in the same application. The vendor was contacted prior to disclosure but did not respond.
Critical Impact
Authenticated remote attackers can execute arbitrary SQL queries against the CDG backend database, enabling data theft, modification, or further compromise of the document security platform.
Affected Products
- ESAFENET CDG version 5
- Component: DecryptApplicationService.java client servlet
- Function: actionPassDecryptApplication1
Discovery Timeline
- 2024-10-25 - CVE-2024-10377 published to NVD
- 2024-11-05 - Last updated in NVD database
Technical Details for CVE-2024-10377
Vulnerability Analysis
The vulnerability is classified under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command. The actionPassDecryptApplication1 method in DecryptApplicationService.java accepts a user-controlled id parameter and incorporates it directly into an SQL query without parameterization or input sanitization. An attacker authenticated with low privileges can submit crafted requests containing SQL metacharacters in the id field. The backend executes the injected fragments as part of the original statement, exposing the underlying database to unauthorized read and write operations. Because ESAFENET CDG stores sensitive document metadata, encryption keys, and policy data, successful injection can compromise the confidentiality and integrity of protected enterprise documents.
Root Cause
The root cause is the concatenation of untrusted input into SQL statements within the affected Java servlet. The id argument flows from the HTTP request into a query string without prepared statements or type validation. No allowlist or escape routine is applied before execution against the database driver.
Attack Vector
Exploitation requires network access to the CDG management interface and a valid low-privilege session. The attacker sends an HTTP request to the vulnerable endpoint with a malicious id parameter payload. The CVSS 4.0 vector indicates low impact to confidentiality, integrity, and availability of the vulnerable system. Public disclosure of the technique through VulDB submission #426085 lowers the barrier for adversaries seeking to weaponize the flaw against exposed CDG deployments.
No verified proof-of-concept code is available in trusted repositories. Technical details are published in the VulDB entry #281807 and the Flowus Security Overview.
Detection Methods for CVE-2024-10377
Indicators of Compromise
- HTTP requests to URIs containing DecryptApplicationService with id parameters containing SQL syntax such as UNION, SELECT, --, OR 1=1, or encoded equivalents.
- Unexpected database errors or stack traces returned from the CDG application logs referencing actionPassDecryptApplication1.
- Anomalous database query volume originating from the CDG application service account.
Detection Strategies
- Inspect web server and application logs for parameter values in id that contain non-numeric characters, SQL keywords, or URL-encoded tick marks (%27).
- Deploy web application firewall signatures targeting SQL injection patterns on requests to /com/esafenet/servlet/client/ endpoints.
- Correlate authentication events with subsequent database query anomalies to identify low-privilege accounts being abused for injection.
Monitoring Recommendations
- Enable verbose query logging on the database backend supporting CDG and alert on multi-statement queries from the application user.
- Monitor outbound network traffic from the CDG server for unexpected data exfiltration following authenticated sessions.
- Track failed and successful logins to the CDG client portal to identify credential abuse preceding injection attempts.
How to Mitigate CVE-2024-10377
Immediate Actions Required
- Restrict network access to the ESAFENET CDG management and client interfaces to trusted administrative networks only.
- Audit all CDG user accounts and disable unused or shared low-privilege credentials that could be leveraged for exploitation.
- Deploy WAF rules blocking SQL metacharacters on the id parameter for requests targeting DecryptApplicationService endpoints.
- Review database logs retroactively for evidence of injection attempts against actionPassDecryptApplication1.
Patch Information
No vendor patch is available. According to the CVE record, the vendor was contacted prior to public disclosure but did not respond. Organizations running ESAFENET CDG 5 should treat the product as unpatched and apply compensating controls. Consult the VulDB advisory for the latest status.
Workarounds
- Place the CDG application behind a reverse proxy that enforces strict input validation on the id parameter, accepting only numeric values.
- Apply database-level least-privilege controls so the CDG service account cannot read or modify tables outside its operational scope.
- Disable or filter access to the actionPassDecryptApplication1 endpoint at the network layer if it is not required for business operations.
# Example WAF rule (ModSecurity) to block SQL metacharacters in the id parameter
SecRule ARGS:id "!@rx ^[0-9]+$" \
"id:1010377,phase:2,deny,status:403,\
msg:'CVE-2024-10377 - Non-numeric id parameter blocked',\
tag:'sqli',tag:'esafenet-cdg'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
