=====================================================================

                             CERT-Renater

                   Note d'Information No. 2021/VULN057
_____________________________________________________________________

DATE                : 01/02/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Casdoor versions prior to 1.13.1.

=====================================================================
https://github.com/advisories/GHSA-m358-g4rp-533r
https://github.com/casdoor/casdoor/issues/439
https://github.com/casdoor/casdoor/pull/442
https://github.com/casdoor/casdoor/compare/v1.13.0...v1.13.1
https://github.com/casdoor/casdoor/commit/5ec0c7a89005819960d8fe07f5ddda13d1371b8c
_____________________________________________________________________


SQL Injection in Casdoor
Moderate severity  GitHub Reviewed


Vulnerability details

Package             github.com/casdoor/casdoor (go)
Affected versions   < 1.13.1
Patched versions    1.13.1


Description

The query API in Casdoor before 1.13.1 has a SQL injection
vulnerability related to the field and value parameters,
as demonstrated by api/get-organizations.


References

https://nvd.nist.gov/vuln/detail/CVE-2022-24124
casdoor/casdoor#439
casdoor/casdoor#442
casdoor/casdoor@v1.13.0...v1.13.1
casdoor/casdoor@5ec0c7a


CVE ID
CVE-2022-24124

CWEs
CWE-89


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================