CVE-2022-0495 is a critical SQL Injection vulnerability (CWE-89) found in the KOHA library automation system developed by Parantez Teknoloji. This vulnerability affects versions prior to 19.05.03.01 and allows an unauthenticated attacker to inject malicious SQL commands into the backend database. The vulnerability arises from improper neutralization of special elements used in SQL commands, enabling attackers to manipulate database queries without requiring any authentication or user interaction. Exploitation can lead to unauthorized disclosure, modification, or deletion of sensitive data, as well as potential disruption of service. The vulnerability has a CVSS v3.1 base score of 9.4, indicating a critical severity level with network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although no known exploits are reported in the wild, the high severity and ease of exploitation make this a significant threat to organizations using affected versions of KOHA. The issue was addressed in version 19.05.03.01, and users are strongly advised to upgrade to this or later versions to mitigate the risk.

For European organizations, especially libraries, educational institutions, and research centers relying on the KOHA library automation system, this vulnerability poses a severe risk. Exploitation could lead to unauthorized access to sensitive patron data, including personally identifiable information and borrowing records, compromising confidentiality. Integrity of the database could be undermined by malicious data manipulation or deletion, affecting operational reliability and trustworthiness of library services. Availability may also be impacted if attackers disrupt database operations. Given the critical nature of the vulnerability and the lack of authentication requirements, attackers could remotely exploit this flaw without prior access, potentially leading to widespread data breaches or service outages. This could result in regulatory compliance issues under GDPR, reputational damage, and operational disruptions for affected European organizations.

1. Immediate upgrade of KOHA installations to version 19.05.03.01 or later, where the vulnerability is fixed. 2. Implement Web Application Firewalls (WAFs) with SQL Injection detection and prevention rules tailored to KOHA's traffic patterns to provide an additional layer of defense. 3. Conduct thorough input validation and sanitization on all user inputs interacting with the database, even beyond the vendor patch, to reduce risk of injection. 4. Regularly audit and monitor database logs for suspicious queries or anomalies indicative of injection attempts. 5. Restrict database user permissions to the minimum necessary for KOHA operations to limit potential damage from exploitation. 6. Employ network segmentation to isolate the KOHA system from other critical infrastructure, minimizing lateral movement in case of compromise. 7. Educate system administrators and security teams about this vulnerability and ensure timely application of vendor patches and security advisories.