Metacat data repository software versions 2.0.0 and later are affected by an unauthenticated SQL injection vulnerability in the /harvesterRegistration endpoint. The dbInsert() method constructs an SQL INSERT statement against the HARVEST_SITE_SCHEDULE table using string concatenation and a quoteString() helper that only wraps inputs in single quotes without escaping special characters. Three parameters (unit, contactEmail, documentListURL) reach this vulnerable sink. The servlet does not verify LDAP identities, allowing unauthenticated attackers to exploit this flaw. Due to PostgreSQL's support for stacked queries via Statement.executeUpdate(), attackers can execute arbitrary SQL commands, resulting in full read, write, and execute access within the database context. The issue was remediated in Metacat 3.0.0.

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on the Metacat database via the /harvesterRegistration endpoint. Exploitation can lead to full compromise of the database, including unauthorized reading, modification, and execution of SQL commands. This poses a critical risk to data confidentiality, integrity, and availability within affected Metacat deployments.

A fix is available in Metacat version 3.0.0, which remediates this SQL injection vulnerability. Users should upgrade to version 3.0.0 or later to mitigate this issue. No other official remediation or temporary fixes are documented. Until upgrading, restrict access to the /harvesterRegistration endpoint to trusted users or networks to reduce exposure.