CVE-2022-43437 (GCVE-0-2022-43437)
Vulnerability from cvelistv5 – Published: 2023-01-03 00:00 – Updated: 2025-04-10 16:46
VLAI?
Title
HWA JIUH DIGITAL TECHNOLOGY LTD. EasyTest - SQL Injection
Summary
The Download function’s parameter of EasyTest has insufficient validation for user input. A remote attacker authenticated as a general user can inject arbitrary SQL command to access, modify or delete database.
Severity ?
8.8 (High)
CWE
- CWE-89 - SQL Injection
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HWA JIUH DIGITAL TECHNOLOGY LTD. | EasyTest |
Affected:
17L18S
|
Date Public ?
2022-12-30 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:32:58.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-6829-11133-1.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-43437",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T16:46:37.791313Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T16:46:55.622Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "EasyTest",
"vendor": "HWA JIUH DIGITAL TECHNOLOGY LTD.",
"versions": [
{
"status": "affected",
"version": "17L18S"
}
]
}
],
"datePublic": "2022-12-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Download function\u2019s parameter of EasyTest has insufficient validation for user input. A remote attacker authenticated as a general user can inject arbitrary SQL command to access, modify or delete database."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-03T00:00:00.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"url": "https://www.twcert.org.tw/tw/cp-132-6829-11133-1.html"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Easytest version to v.22I26"
}
],
"source": {
"advisory": "TVN-202212002",
"discovery": "EXTERNAL"
},
"title": "HWA JIUH DIGITAL TECHNOLOGY LTD. EasyTest - SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2022-43437",
"datePublished": "2023-01-03T00:00:00.000Z",
"dateReserved": "2022-10-19T00:00:00.000Z",
"dateUpdated": "2025-04-10T16:46:55.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-43437",
"date": "2026-05-03",
"epss": "0.00838",
"percentile": "0.74774"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-43437\",\"sourceIdentifier\":\"twcert@cert.org.tw\",\"published\":\"2023-01-03T03:15:10.187\",\"lastModified\":\"2024-11-21T07:26:29.107\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Download function\u2019s parameter of EasyTest has insufficient validation for user input. A remote attacker authenticated as a general user can inject arbitrary SQL command to access, modify or delete database.\"},{\"lang\":\"es\",\"value\":\"El par\u00e1metro de la funci\u00f3n Download de EasyTest no tiene validaci\u00f3n suficiente para la entrada del usuario. Un atacante remoto autenticado como usuario general puede inyectar un comando SQL arbitrario para acceder, modificar o eliminar la base de datos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"twcert@cert.org.tw\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"twcert@cert.org.tw\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:easy_test_project:easy_test:17l18s:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"61A9C215-C21E-4A3F-9854-4C9E599B01FB\"}]}]}],\"references\":[{\"url\":\"https://www.twcert.org.tw/tw/cp-132-6829-11133-1.html\",\"source\":\"twcert@cert.org.tw\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.twcert.org.tw/tw/cp-132-6829-11133-1.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.twcert.org.tw/tw/cp-132-6829-11133-1.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T13:32:58.976Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-43437\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-10T16:46:37.791313Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-10T16:46:50.297Z\"}}], \"cna\": {\"title\": \"HWA JIUH DIGITAL TECHNOLOGY LTD. EasyTest - SQL Injection\", \"source\": {\"advisory\": \"TVN-202212002\", \"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"HWA JIUH DIGITAL TECHNOLOGY LTD.\", \"product\": \"EasyTest\", \"versions\": [{\"status\": \"affected\", \"version\": \"17L18S\"}]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Update Easytest version to v.22I26\"}], \"datePublic\": \"2022-12-30T00:00:00.000Z\", \"references\": [{\"url\": \"https://www.twcert.org.tw/tw/cp-132-6829-11133-1.html\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Download function\\u2019s parameter of EasyTest has insufficient validation for user input. A remote attacker authenticated as a general user can inject arbitrary SQL command to access, modify or delete database.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89 SQL Injection\"}]}], \"providerMetadata\": {\"orgId\": \"cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e\", \"shortName\": \"twcert\", \"dateUpdated\": \"2023-01-03T00:00:00.000Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-43437\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-10T16:46:55.622Z\", \"dateReserved\": \"2022-10-19T00:00:00.000Z\", \"assignerOrgId\": \"cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e\", \"datePublished\": \"2023-01-03T00:00:00.000Z\", \"assignerShortName\": \"twcert\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…