CVE-2024-10378 Overview
CVE-2024-10378 is a SQL injection vulnerability in ESAFENET CDG version 5, a Chinese document security and data leakage prevention product. The flaw resides in the actionViewCDGRenewFile function within /com/esafenet/servlet/client/CDGRenewApplicationService.java. Attackers can manipulate the CDGRenewFileId parameter to inject arbitrary SQL statements into backend database queries. The vulnerability is exploitable remotely over the network and requires low-level privileges but no user interaction. Public disclosure has occurred, and according to the original advisory, the vendor was contacted but did not respond.
Critical Impact
Authenticated remote attackers can manipulate the CDGRenewFileId parameter to inject SQL commands, potentially exposing or modifying sensitive document management data stored by ESAFENET CDG.
Affected Products
- ESAFENET CDG version 5
- Component: CDGRenewApplicationService.java
- Function: actionViewCDGRenewFile
Discovery Timeline
- 2024-10-25 - CVE-2024-10378 published to NVD
- 2024-10-30 - Last updated in NVD database
Technical Details for CVE-2024-10378
Vulnerability Analysis
The vulnerability is classified as SQL Injection [CWE-89]. It originates in the actionViewCDGRenewFile method of the CDGRenewApplicationService servlet. The application accepts the CDGRenewFileId request parameter and concatenates it directly into a SQL query without proper parameterization or input validation. An authenticated attacker submitting a crafted value for CDGRenewFileId can break out of the intended SQL context and append arbitrary clauses to the executed statement. The EPSS score is 0.242% (47.4 percentile), indicating limited but non-trivial exploitation prediction.
Root Cause
The root cause is improper neutralization of special elements used in a SQL command. The CDGRenewFileId parameter flows from an HTTP request directly into a database query string without prepared statements or sanitization. This violates secure coding practices for JDBC-based Java servlets, where bind variables should be used for all user-controlled input.
Attack Vector
The attack vector is network-based. An attacker with valid low-privilege credentials sends a crafted HTTP request to the vulnerable endpoint exposing the actionViewCDGRenewFile action. By embedding SQL metacharacters or UNION-based payloads in the CDGRenewFileId parameter, the attacker can extract data, enumerate schemas, or modify records depending on the database user's privileges. The exploit has been disclosed publicly through VulDB and a Flowus security share, increasing the likelihood of opportunistic abuse. Refer to the VulDB entry #281808 and the Flowus Security Share for technical specifics.
Detection Methods for CVE-2024-10378
Indicators of Compromise
- HTTP requests targeting URIs that invoke actionViewCDGRenewFile with anomalous CDGRenewFileId values containing SQL metacharacters such as single quotes, UNION, SELECT, --, or /*.
- Database error messages in application logs referencing the CDGRenewApplicationService class or malformed queries on renewal file tables.
- Unexpected outbound data volumes from the ESAFENET CDG application server following requests to the affected endpoint.
Detection Strategies
- Inspect web server and application logs for unusually long or encoded CDGRenewFileId parameter values reaching the CDG servlet.
- Deploy WAF signatures or IDS rules that flag classic SQL injection patterns against the /com/esafenet/servlet/client/ URI path.
- Correlate authenticated user sessions with anomalous query volumes or error rates from the backend database serving ESAFENET CDG.
Monitoring Recommendations
- Enable verbose query logging on the database backing ESAFENET CDG and alert on syntactically anomalous or unusually long statements referencing renewal file tables.
- Monitor authentication logs to detect compromised low-privilege accounts being used to probe the vulnerable endpoint.
- Track egress traffic from the CDG application server for signs of bulk data exfiltration following access to actionViewCDGRenewFile.
How to Mitigate CVE-2024-10378
Immediate Actions Required
- Restrict network access to the ESAFENET CDG management interface using firewall rules or VPN-only access until a vendor patch is available.
- Audit and rotate credentials for all low-privilege accounts that can reach the actionViewCDGRenewFile endpoint.
- Deploy a web application firewall rule blocking SQL injection payloads targeting the CDGRenewFileId parameter.
Patch Information
No vendor patch has been published. According to the disclosure, ESAFENET was contacted early about this issue but did not respond. Organizations running ESAFENET CDG 5 should track VulDB #281808 for any future updates and contact the vendor directly for remediation guidance.
Workarounds
- Apply WAF or reverse-proxy rules to reject requests where CDGRenewFileId contains non-numeric characters, since the parameter should represent a file identifier.
- Limit database account privileges used by ESAFENET CDG so that injection cannot perform schema modification or access unrelated tables.
- Isolate the ESAFENET CDG server on a segmented network and require multi-factor authentication for any user with access to client-facing servlets.
# Example WAF rule (ModSecurity) restricting CDGRenewFileId to digits only
SecRule ARGS:CDGRenewFileId "!@rx ^[0-9]+$" \
"id:1010378,phase:2,deny,status:403,\
msg:'CVE-2024-10378 - Invalid CDGRenewFileId parameter',\
tag:'CWE-89',tag:'ESAFENET-CDG'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
