CVE-2024-10659 Overview
CVE-2024-10659 is a SQL injection vulnerability in ESAFENET CDG 5, a data leak prevention and document encryption product. The flaw resides in the delSystemEncryptPolicy function within /com/esafenet/servlet/document/CDGAuthoriseTempletService.java. Attackers manipulate the id parameter to inject arbitrary SQL statements into backend database queries. The vulnerability is exploitable remotely over the network and requires low-privileged authentication. Public disclosure of the exploit details increases the likelihood of opportunistic attacks against exposed deployments. The weakness is classified under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Authenticated remote attackers can inject SQL through the id parameter of delSystemEncryptPolicy, enabling unauthorized read, modification, or deletion of sensitive data stored in the ESAFENET CDG database.
Affected Products
- ESAFENET CDG version 5
- Component: CDGAuthoriseTempletService.java
- Function: delSystemEncryptPolicy
Discovery Timeline
- 2024-11-01 - CVE-2024-10659 published to NVD
- 2024-11-05 - Last updated in NVD database
Technical Details for CVE-2024-10659
Vulnerability Analysis
The vulnerability stems from improper neutralization of user-supplied input in the delSystemEncryptPolicy function of CDGAuthoriseTempletService.java. The id argument is concatenated into a SQL statement without parameterization or sanitization. An authenticated attacker submits a crafted HTTP request that includes SQL syntax in the id parameter. The backend database parses the injected fragment as part of the original query.
The injection point is reachable over the network and requires only low-privileged access to the application. Successful exploitation impacts confidentiality, integrity, and availability of database contents. Because ESAFENET CDG manages document encryption policies and authorization templates, attackers may extract sensitive policy data or manipulate authorization records. The exploit has been publicly disclosed through VulDB submission #434862, lowering the barrier for weaponization.
Root Cause
The root cause is the direct concatenation of the id request parameter into a SQL query string within delSystemEncryptPolicy. The function does not use prepared statements or parameterized queries. Input validation routines do not strip or escape SQL metacharacters before query execution.
Attack Vector
The attacker authenticates with low-privileged credentials and sends an HTTP request to the servlet endpoint mapped to CDGAuthoriseTempletService. The request includes a malicious id value containing SQL operators such as UNION, OR 1=1, or stacked statements terminated by ;. The database executes the injected payload alongside the original delete operation. Depending on database permissions, attackers retrieve table contents through blind or union-based techniques, modify policy records, or trigger denial-of-service conditions.
No verified exploit code is publicly indexed in Exploit-DB. Technical details are referenced in the VulDB Entry #282674 and the Flowus Shared Resource.
Detection Methods for CVE-2024-10659
Indicators of Compromise
- HTTP requests to CDGAuthoriseTempletService endpoints containing SQL metacharacters such as single quotes, UNION SELECT, --, ;, or /* in the id parameter
- Anomalous database query patterns originating from the ESAFENET CDG application service account
- Unexpected DELETE, SELECT, or UNION statements logged against tables tied to encryption policies and authorization templates
- Application errors or stack traces in CDG logs referencing SQL syntax exceptions tied to delSystemEncryptPolicy
Detection Strategies
- Inspect web server and application logs for requests to /com/esafenet/servlet/document/CDGAuthoriseTempletService with non-numeric or encoded values in the id parameter
- Deploy web application firewall (WAF) signatures for SQL injection patterns targeting the ESAFENET CDG servlet path
- Enable database query auditing to flag queries containing suspicious tautologies or boolean-based blind injection probes
- Correlate authentication events with subsequent abnormal query volumes from the same session
Monitoring Recommendations
- Forward CDG application logs, web server logs, and database audit logs to a centralized SIEM for correlation
- Alert on bursts of failed SQL queries from the CDG service account, indicating injection probing
- Baseline normal request rates to CDGAuthoriseTempletService and trigger alerts on statistical deviations
How to Mitigate CVE-2024-10659
Immediate Actions Required
- Restrict network access to ESAFENET CDG 5 management interfaces to trusted administrative networks only
- Audit and rotate credentials for any low-privileged accounts that can reach the vulnerable servlet
- Deploy WAF rules that block SQL metacharacters in the id parameter of CDGAuthoriseTempletService requests
- Review database logs for evidence of prior injection attempts against the delSystemEncryptPolicy function
Patch Information
No vendor advisory or official patch from ESAFENET is referenced in the available CVE data. Operators should contact ESAFENET directly for remediation guidance and monitor VulDB Entry #282674 for updates. Until a vendor patch is released, compensating controls are required.
Workarounds
- Place the CDG application behind a reverse proxy or WAF configured to reject requests containing SQL syntax in the id parameter
- Apply least-privilege principles to the database account used by ESAFENET CDG, removing unnecessary DROP, ALTER, and cross-database permissions
- Disable or restrict access to the CDGAuthoriseTempletService endpoint if it is not required for production operations
- Enforce strict input validation at the proxy layer, allowing only numeric values for the id parameter
# Example WAF ModSecurity rule to block SQL metacharacters in the id parameter
SecRule REQUEST_URI "@contains /com/esafenet/servlet/document/CDGAuthoriseTempletService" \
"chain,phase:2,deny,status:403,id:1009001,msg:'CVE-2024-10659 SQLi attempt'"
SecRule ARGS:id "@rx [^0-9]" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
