CVE-2024-10597 Overview
CVE-2024-10597 is a SQL injection vulnerability in ESAFENET CDG 5, a Chinese data protection and document encryption product. The flaw resides in the delPolicyAction function within /com/esafenet/servlet/system/PolicyActionService.java. Attackers can manipulate the id parameter to inject arbitrary SQL statements. The vulnerability is remotely exploitable and requires only low-privilege authentication. Public disclosure has occurred, and exploit details are available. The vendor was contacted prior to disclosure but did not respond, leaving deployed instances without an official fix.
Critical Impact
Authenticated remote attackers can execute arbitrary SQL queries against the backend database through the id parameter, exposing confidentiality and integrity of stored policy and document protection data.
Affected Products
- ESAFENET CDG version 5
- delPolicyAction function in PolicyActionService.java
- Deployments exposing the /com/esafenet/servlet/system/ servlet endpoint
Discovery Timeline
- 2024-10-31 - CVE-2024-10597 published to NVD
- 2024-11-06 - Last updated in NVD database
Technical Details for CVE-2024-10597
Vulnerability Analysis
The vulnerability is a classic SQL injection flaw [CWE-89] in the delPolicyAction handler of ESAFENET CDG 5. The function accepts an id argument supplied by the HTTP request and incorporates it directly into a SQL statement without parameterization or input validation. An authenticated attacker can append SQL syntax to the id parameter and alter the executed query. Successful injection allows extraction of database contents, modification of policy records, or deletion of arbitrary rows. ESAFENET CDG manages document encryption policies, so impacted data may include policy definitions, user mappings, and audit trails. Because the vendor has not issued a patch, exposed installations remain vulnerable indefinitely.
Root Cause
The root cause is improper neutralization of special elements used in a SQL command. The delPolicyAction method constructs SQL via string concatenation using the untrusted id request parameter. The application does not enforce prepared statements, type casting, or allow-list validation on the parameter value.
Attack Vector
Exploitation occurs over the network through standard HTTP requests to the PolicyActionService endpoint. The attacker must hold a low-privilege application account. No user interaction is required. A crafted id value carrying SQL meta-characters such as single quotes, UNION SELECT, or boolean payloads triggers the injection during policy deletion processing.
No verified proof-of-concept code is published for this advisory. Refer to the VulDB entry #282609 and the Flowus security writeup for technical details on the request structure.
Detection Methods for CVE-2024-10597
Indicators of Compromise
- HTTP requests to /com/esafenet/servlet/system/PolicyActionService containing SQL meta-characters in the id parameter
- Unexpected DELETE, UNION, SLEEP, or BENCHMARK keywords in application or database logs tied to policy deletion calls
- Database error messages or stack traces referencing delPolicyAction returned to clients
- Anomalous removal of policy rows or sudden enumeration of information_schema tables
Detection Strategies
- Inspect web server access logs for non-numeric or URL-encoded payloads in the id query string targeting PolicyActionService
- Deploy WAF signatures for common SQL injection patterns aimed at the ESAFENET CDG servlet path
- Correlate authenticated session activity with database query anomalies originating from the CDG application user
Monitoring Recommendations
- Enable verbose query logging on the CDG backend database and alert on queries from the application service account that reference information_schema or system tables
- Monitor for spikes in 500-series HTTP responses from PolicyActionService, which often indicate failed injection attempts
- Track login activity for low-privilege accounts that subsequently issue high volumes of policy-related requests
How to Mitigate CVE-2024-10597
Immediate Actions Required
- Restrict network access to ESAFENET CDG management interfaces to trusted administrative networks only
- Audit existing application accounts and disable unused or default low-privilege credentials
- Place the CDG application behind a web application firewall with SQL injection rules tuned for the PolicyActionService endpoint
- Review database and application logs for prior exploitation attempts against the delPolicyAction handler
Patch Information
No vendor patch is available. ESAFENET did not respond to the disclosure. Organizations running CDG 5 should contact the vendor directly for a security update and apply compensating controls in the interim. Track the VulDB advisory for any future fix announcements.
Workarounds
- Block external access to /com/esafenet/servlet/system/PolicyActionService at the reverse proxy or firewall layer
- Enforce strict input validation at an upstream proxy to reject id parameter values that are not strictly numeric
- Apply least-privilege database permissions to the CDG application account, removing DROP, ALTER, and cross-schema read rights
- Where feasible, isolate the CDG database server on a segmented network with egress filtering to limit data exfiltration
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
