CVE-2025-45346 Overview
CVE-2025-45346 is a SQL Injection vulnerability affecting Bacula-web, a popular open-source web-based reporting and monitoring tool for the Bacula backup system. This vulnerability exists in versions prior to v9.7.1 and allows a remote attacker to execute arbitrary code via a crafted HTTP GET request. The flaw stems from improper sanitization of user-supplied input in the job files report functionality, enabling attackers to inject malicious SQL statements.
Critical Impact
Remote attackers can exploit this SQL Injection vulnerability to execute arbitrary code, potentially compromising the confidentiality, integrity, and availability of systems running vulnerable Bacula-web installations without requiring authentication or user interaction.
Affected Products
- Bacula-web versions prior to v9.7.1
- bacula:bacula-web (all versions before the security patch)
Discovery Timeline
- 2025-07-29 - CVE-2025-45346 published to NVD
- 2025-08-06 - Last updated in NVD database
Technical Details for CVE-2025-45346
Vulnerability Analysis
This SQL Injection vulnerability exists in the job files report functionality of Bacula-web. The application fails to properly sanitize user-controlled input before incorporating it into SQL queries. Specifically, the filename parameter is directly concatenated into SQL WHERE clauses without parameterization, allowing attackers to manipulate database queries through specially crafted HTTP GET requests.
The vulnerability requires network access and while the attack complexity is high, successful exploitation does not require privileges or user interaction. An attacker who successfully exploits this vulnerability could read, modify, or delete sensitive data from the Bacula backup database, potentially gaining access to backup metadata, job histories, and system configuration information.
Root Cause
The root cause of this vulnerability is the use of direct string concatenation for constructing SQL queries with user-supplied input. In the vulnerable code within application/Table/JobFileTable.php, the $filename variable is directly embedded into the SQL WHERE clause using string interpolation rather than parameterized queries. This classic SQL Injection pattern allows attackers to break out of the intended query structure and inject arbitrary SQL commands.
Attack Vector
The attack is conducted over the network via HTTP GET requests to the Bacula-web application. An attacker crafts a malicious request containing SQL injection payloads in the filename parameter. When the application processes this request for the job files report, the unsanitized input is incorporated directly into the SQL query, allowing the attacker to:
- Extract sensitive data from the database using UNION-based or error-based injection techniques
- Modify or delete database records
- Potentially execute arbitrary code depending on database privileges and configuration
The vulnerability can be exploited remotely without authentication, making internet-facing Bacula-web installations particularly at risk.
// Vulnerable code (before patch) in application/Table/JobFileTable.php
// User input directly concatenated into SQL query
$fields = array('Job.Name', 'Job.JobStatus', 'File.FileIndex', 'Path.Path', 'Filename.Name AS Filename');
$where = array("File.JobId = $jobId");
if (! empty($filename)) {
// VULNERABLE: Direct string interpolation allows SQL injection
$where[] = "(Filename.Name LIKE '%$filename%' OR Path.Path LIKE '%$filename%' OR concat(Path.Path, '', Filename.Name) = '$filename')";
}
// Fixed code (after patch) - uses parameterized queries
$fields = array('Job.Name', 'Job.JobStatus', 'File.FileIndex', 'Path.Path', 'Filename.Name AS Filename');
$where = array("File.JobId = $jobId");
if (! empty($filename)) {
// SECURE: Uses named parameters to prevent SQL injection
$this->addParameter('filename', '%'.$filename.'%');
$where[] = "(Filename.Name LIKE :filename OR Path.Path LIKE :filename OR concat(Path.Path, '', Filename.Name) = :filename)";
}
Source: GitHub Commit ad5d948
Detection Methods for CVE-2025-45346
Indicators of Compromise
- Unusual HTTP GET requests to Bacula-web containing SQL metacharacters (single quotes, double dashes, UNION keywords) in query parameters
- Database error messages appearing in application logs indicating malformed SQL syntax
- Unexpected database queries or access patterns in database audit logs
- Evidence of data exfiltration or unauthorized database modifications in backup job metadata
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block common SQL injection patterns in HTTP requests
- Monitor web server access logs for suspicious requests containing SQL keywords and special characters targeting Bacula-web endpoints
- Enable database query logging and alert on anomalous query patterns or syntax errors
- Deploy intrusion detection systems (IDS) with signatures for SQL injection attack payloads
Monitoring Recommendations
- Configure centralized logging for all Bacula-web HTTP traffic and database interactions
- Set up alerts for repeated failed database queries or syntax errors that may indicate injection attempts
- Monitor for unusual data access patterns in the Bacula database, particularly to sensitive backup metadata
- Implement network traffic analysis to detect potential data exfiltration following a successful attack
How to Mitigate CVE-2025-45346
Immediate Actions Required
- Upgrade Bacula-web to version 9.7.1 or later immediately to apply the security patch
- If immediate upgrade is not possible, restrict network access to Bacula-web using firewall rules to allow only trusted IP addresses
- Implement a Web Application Firewall (WAF) with SQL injection protection as an additional defense layer
- Review database access logs for any signs of prior exploitation attempts
Patch Information
The Bacula-web development team has released version 9.7.1 which addresses this SQL Injection vulnerability. The fix implements parameterized queries using named parameters (:filename) instead of direct string concatenation, preventing SQL injection attacks. Users should upgrade to this version as soon as possible.
For detailed patch information, refer to the GitHub Commit ad5d948 and the GitHub Release v9.7.1.
Workarounds
- Restrict access to Bacula-web by placing it behind a VPN or requiring authentication at the web server level
- Configure network firewalls to limit access to the Bacula-web interface to trusted internal networks only
- Deploy a reverse proxy with WAF capabilities configured to block SQL injection patterns
- Consider temporarily disabling the job files report functionality if feasible until the patch can be applied
# Example: Restrict Bacula-web access using iptables
# Allow only trusted IP addresses to access Bacula-web (adjust ports as needed)
iptables -A INPUT -p tcp --dport 80 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
# Example: Apache configuration to restrict access
# Add to Bacula-web virtual host configuration
<Directory /var/www/bacula-web>
Require ip 10.0.0.0/8 192.168.0.0/16
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
