CVE-2024-10595 Overview
CVE-2024-10595 is a SQL injection vulnerability in ESAFENET CDG version 5, a Chinese document security and data leakage prevention product. The flaw resides in the delFile and delDifferCourseList functions inside /com/esafenet/servlet/ajax/PublicDocInfoAjax.java. Attackers can manipulate request parameters to inject arbitrary SQL statements against the backend database. The vulnerability is exploitable remotely and requires only low-privileged authentication. The exploit has been publicly disclosed, and the vendor did not respond to disclosure attempts. The weakness is classified under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Authenticated remote attackers can inject SQL statements through delFile or delDifferCourseList endpoints to read, modify, or delete data in the ESAFENET CDG database.
Affected Products
- ESAFENET CDG version 5
- PublicDocInfoAjax.java servlet component
- Deployments exposing the AJAX endpoint to untrusted networks
Discovery Timeline
- 2024-10-31 - CVE-2024-10595 published to NVD
- 2024-11-01 - Last updated in NVD database
Technical Details for CVE-2024-10595
Vulnerability Analysis
The vulnerability exists in the AJAX servlet PublicDocInfoAjax.java, which exposes document management functions to authenticated users. Two functions, delFile and delDifferCourseList, accept user-supplied parameters and concatenate them directly into SQL queries. An attacker submits crafted parameter values containing SQL meta-characters, which the application passes unsanitized to the database driver. The injection executes in the application's database context, granting access to any data the CDG service account can read. Because CDG stores document classification metadata, encryption policies, and audit records, a successful injection compromises core data-protection guarantees.
Root Cause
The root cause is the absence of parameterized queries or input validation in the delFile and delDifferCourseList request handlers. The code builds SQL statements through string concatenation, treating attacker-controlled input as trusted SQL syntax. No allow-listing, type coercion, or prepared statement binding intervenes between the HTTP parameter and the JDBC execution call.
Attack Vector
The attack vector is network-based and requires low privileges, with no user interaction. An attacker authenticates to the CDG web interface and issues an HTTP request to the vulnerable AJAX endpoint with a malicious payload in the targeted parameter. Successful exploitation can lead to data exfiltration, tampering with document security policies, or bypass of audit logging stored in the same database. The vulnerability mechanism is documented in the VulDB entry for ID 282607 and the Flowus shared technical document.
Detection Methods for CVE-2024-10595
Indicators of Compromise
- HTTP POST or GET requests to /com/esafenet/servlet/ajax/PublicDocInfoAjax containing SQL meta-characters such as ', --, UNION, SELECT, or SLEEP( in parameters consumed by delFile or delDifferCourseList.
- Database error messages or unusually long response times correlated with requests to the affected endpoint.
- Unexpected DELETE, UPDATE, or SELECT statements in database audit logs originating from the CDG application user.
Detection Strategies
- Inspect web server and application logs for parameter values containing encoded SQL syntax targeting the PublicDocInfoAjax servlet.
- Deploy a web application firewall ruleset that flags SQL injection patterns on the CDG management URLs.
- Correlate authenticated CDG sessions with anomalous database query volume or query duration spikes.
Monitoring Recommendations
- Enable database query logging on the CDG backend and alert on statements referencing system tables such as information_schema or vendor equivalents.
- Forward CDG application logs and database audit events to a centralized analytics platform for retention and correlation.
- Monitor for new or modified administrative accounts and policy changes inside CDG following suspicious AJAX traffic.
How to Mitigate CVE-2024-10595
Immediate Actions Required
- Restrict network access to the ESAFENET CDG management interface to trusted administrative subnets only.
- Disable or block the delFile and delDifferCourseList endpoints at a reverse proxy until a vendor fix is available.
- Rotate credentials for any accounts that recently accessed the CDG web interface and review database accounts used by the CDG service.
Patch Information
No vendor patch is currently available. According to the disclosure, the vendor was contacted before public disclosure but did not respond. Track the VulDB CTI entry for updates on remediation status.
Workarounds
- Place the CDG application behind a web application firewall with SQL injection signatures enabled for PublicDocInfoAjax parameters.
- Apply the principle of least privilege to the database account used by CDG, removing DROP, ALTER, and cross-database SELECT rights where possible.
- Enforce strict authentication controls and remove unused user accounts to reduce the pool of low-privileged identities that could trigger the injection.
# Example reverse proxy rule blocking SQL meta-characters on the vulnerable endpoint
location ~* /com/esafenet/servlet/ajax/PublicDocInfoAjax {
if ($args ~* "(\bunion\b|\bselect\b|--|;|/\*|sleep\()") {
return 403;
}
proxy_pass http://cdg_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
