CVE-2024-8332 Overview
CVE-2024-8332 is a SQL injection vulnerability [CWE-89] in master-nan Sweet-CMS, an open-source content management system written in Go. The flaw resides in the /table/index endpoint, where attacker-controlled input reaches database query construction without proper sanitization. Remote attackers with low privileges can manipulate query parameters to inject arbitrary SQL statements. Sweet-CMS follows a rolling release model, so no specific affected version range is available. The maintainer published a patch under commit hash 146359646a5a90cb09156dbd0013b7df77f2aa6c, which introduces input sanitization via a utils.SanitizeInput helper.
Critical Impact
Authenticated remote attackers can inject SQL commands through the /table/index endpoint, potentially exposing or modifying database contents handled by Sweet-CMS.
Affected Products
- master-nan Sweet-CMS (rolling release prior to commit 146359646a5a90cb09156dbd0013b7df77f2aa6c)
- Deployments exposing the /table/index endpoint to untrusted users
- Self-hosted Sweet-CMS instances built from affected Git revisions
Discovery Timeline
- 2024-08-30 - CVE-2024-8332 published to NVD
- 2024-09-03 - Last updated in NVD database
Technical Details for CVE-2024-8332
Vulnerability Analysis
The vulnerability is a classic SQL injection [CWE-89] in the Sweet-CMS dictionary and generalization controllers. User-supplied path parameters such as code and id flow directly into downstream database query logic without sanitization. An attacker authenticated with low privileges can craft malicious values for these parameters to alter query semantics.
Because Sweet-CMS is written in Go using the Gin web framework, the input is read through ctx.Param(...) and passed to service-layer functions that compose SQL queries. Without parameterization or sanitization, this enables injection of arbitrary SQL fragments.
The EPSS score of 0.128% indicates a low predicted likelihood of exploitation in the wild, but the impact on data confidentiality and integrity in affected deployments remains significant.
Root Cause
The root cause is missing input validation on path parameters consumed by controllers in controller/sys_dict_controller.go and controller/generalization_controller.go. The patched code introduces utils.SanitizeInput around ctx.Param("code") and reorders response initialization in the Query handler to ensure error context exists before parameter parsing.
Attack Vector
An attacker sends a crafted HTTP request to the /table/index route (or related dictionary endpoints) with a malicious id or code value. The injected payload is concatenated into the backing SQL query, allowing the attacker to read or modify database records accessible to the Sweet-CMS service account.
// Patch in controller/sys_dict_controller.go
func (t *DictController) GetSysDictByCode(ctx *gin.Context) {
resp := response.NewResponse()
ctx.Set("response", resp)
- code := ctx.Param("code")
+ code := utils.SanitizeInput(ctx.Param("code"))
data, err := t.sysDictService.GetSysDictByCode(code)
if err != nil {
e := &response.AdminError{
Source: GitHub Commit 146359646a
// Patch in controller/generalization_controller.go
func (gc *GeneralizationController) Query(ctx *gin.Context) {
- id, err := strconv.Atoi(ctx.Param("id"))
resp := response.NewResponse()
ctx.Set("response", resp)
+ id, err := strconv.Atoi(ctx.Param("id"))
if err != nil {
_ = ctx.Error(err)
return
Source: GitHub Commit 146359646a
Detection Methods for CVE-2024-8332
Indicators of Compromise
- HTTP requests to /table/index or dictionary endpoints containing SQL meta-characters such as ', --, UNION, or SLEEP( in path parameters
- Application logs showing parsing errors from strconv.Atoi on the id path parameter followed by successful subsequent queries
- Unexpected database errors or unusually long query execution times originating from Sweet-CMS service accounts
Detection Strategies
- Inspect web server and reverse proxy logs for non-numeric or oversized values in the id and code path parameters of Sweet-CMS routes
- Deploy web application firewall (WAF) signatures for common SQL injection payload patterns targeting Gin-based applications
- Enable database query logging and alert on queries containing tautologies (OR 1=1), UNION SELECT, or time-based delays
Monitoring Recommendations
- Correlate authentication events with downstream requests to /table/index to identify low-privileged accounts probing the endpoint
- Baseline normal parameter values for Sweet-CMS routes and alert on statistical deviations
- Monitor outbound network traffic from the Sweet-CMS host for signs of data exfiltration following suspicious requests
How to Mitigate CVE-2024-8332
Immediate Actions Required
- Rebuild and redeploy Sweet-CMS from a Git revision that includes commit 146359646a5a90cb09156dbd0013b7df77f2aa6c or later
- Restrict network access to Sweet-CMS administrative endpoints to trusted users and management networks
- Audit existing accounts and rotate credentials if exposure to untrusted users is suspected
Patch Information
Apply the upstream fix delivered in GitHub commit 146359646a5a90cb09156dbd0013b7df77f2aa6c. The patch routes code parameters through utils.SanitizeInput and reorders the Query handler so the response context is established before parameter parsing. Because Sweet-CMS uses rolling releases, verify the deployed binary by checking the commit hash baked into the build rather than relying on version tags. Additional discussion is available in the project's GitHub Issue #1 and GitHub Issue #2.
Workarounds
- Place Sweet-CMS behind a WAF configured to block SQL injection patterns on the /table/index and dictionary endpoints
- Enforce strict request validation at the reverse proxy, rejecting non-integer id values and non-alphanumeric code values
- Run the Sweet-CMS database account with least-privilege grants, removing DROP, ALTER, and cross-database read access
# Example nginx rule rejecting non-numeric id path parameters
location ~ ^/table/index/(?<tid>[^/]+)$ {
if ($tid !~ ^[0-9]+$) { return 400; }
proxy_pass http://sweet_cms_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
