Skip to main content

CVE-2022-43022: n/a in n/a

Medium
VulnerabilityCVE-2022-43022cvecve-2022-43022
Published: Wed Oct 19 2022 (10/19/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the tag_id variable in the Tag deletion function.

AI-Powered Analysis

AILast updated: 07/05/2025, 02:41:43 UTC

Technical Analysis

CVE-2022-43022 is a SQL injection vulnerability identified in OpenCATS version 0.9.6, specifically affecting the Tag deletion function through the 'tag_id' parameter. OpenCATS is an open-source applicant tracking system used to manage recruitment processes. The vulnerability arises because the 'tag_id' input is not properly sanitized or parameterized before being used in SQL queries, allowing an attacker with at least low-level privileges (PR:L) to inject malicious SQL code remotely (AV:N) without requiring user interaction (UI:N). The vulnerability impacts confidentiality (C:H) but does not affect integrity or availability. Exploiting this flaw could allow an attacker to extract sensitive data from the database, such as candidate information or internal recruitment details, without modifying or deleting data. The CVSS 3.1 base score is 6.5, indicating a medium severity level. No known exploits are currently reported in the wild, and no official patches or vendor advisories are listed, which may suggest limited awareness or slower remediation. The vulnerability is categorized under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), a common and critical class of injection flaws. Given the nature of OpenCATS as a recruitment tool, the exposure of candidate personal data could have significant privacy and compliance implications.

Potential Impact

For European organizations, the impact of CVE-2022-43022 can be significant, especially for those using OpenCATS to manage recruitment and HR data. The vulnerability allows unauthorized disclosure of sensitive personal data, potentially including names, contact details, employment history, and other personally identifiable information (PII). This exposure risks violating the EU General Data Protection Regulation (GDPR), which mandates strict controls over personal data processing and breach notification. A successful attack could lead to reputational damage, regulatory fines, and loss of trust from candidates and employees. Since the vulnerability does not affect data integrity or availability, the primary concern is confidentiality breach. However, the ease of remote exploitation with low privileges and no user interaction increases the risk profile. Organizations relying on OpenCATS for recruitment workflows may face operational disruptions if they need to take systems offline for investigation or remediation. Additionally, attackers could use the extracted data for further social engineering or targeted attacks against the organization.

Mitigation Recommendations

To mitigate CVE-2022-43022, European organizations should first verify if they are running OpenCATS version 0.9.6 or earlier. Immediate steps include restricting access to the Tag deletion functionality to trusted administrators only and implementing network-level controls such as IP whitelisting or VPN access to limit exposure. Since no official patch is currently available, organizations should consider applying manual code reviews and fixes to sanitize and parameterize the 'tag_id' input in SQL queries, following secure coding practices to prevent injection. Employing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'tag_id' parameter can provide temporary protection. Regularly monitoring application logs for suspicious query patterns or repeated failed attempts on the Tag deletion function is recommended. Organizations should also prepare incident response plans to handle potential data breaches, including GDPR notification procedures. Finally, engaging with the OpenCATS community or maintainers to track patch releases and applying updates promptly once available is critical.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2022-10-17T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d9818c4522896dcbd7a49

Added to database: 5/21/2025, 9:08:40 AM

Last enriched: 7/5/2025, 2:41:43 AM

Last updated: 7/29/2025, 2:56:29 AM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats