CVE-2025-45346
BaseFortify
Publication date: 2025-07-29
Last updated on: 2025-08-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bacula | bacula-web | to 9.7.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL Injection flaw in Bacula-web versions before 9.7.1. It allows a remote attacker to execute arbitrary code by sending a specially crafted HTTP GET request. The issue arises because user input (specifically a filename parameter) was directly inserted into SQL queries without proper parameterization, enabling attackers to manipulate the SQL commands executed by the application. The vulnerability was fixed by changing the code to use parameterized queries, which safely bind user input and prevent malicious SQL code execution. [2]
How can this vulnerability impact me? :
This vulnerability can have a severe impact as it allows remote attackers to execute arbitrary code on the affected system. This can lead to unauthorized data access, data modification, or deletion, and potentially full system compromise. The CVSS score of 8.1 indicates a high severity, meaning exploitation could result in significant confidentiality, integrity, and availability losses.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP GET requests to the Bacula-web application for suspicious or crafted input targeting the job files report feature, especially parameters related to filenames. Since the vulnerability involves SQL injection via the 'filename' parameter, you can look for unusual patterns or SQL syntax in these parameters. However, no specific detection commands are provided in the resources. A general approach would be to use web application firewall (WAF) logs or intrusion detection systems (IDS) to detect SQL injection patterns in HTTP GET requests. Additionally, reviewing application logs for errors or anomalies related to the job files report may help. Specific commands are not detailed in the provided resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Bacula-web to version 9.7.1 or later, as this release includes a fix that replaces vulnerable SQL query string concatenations with parameterized queries, preventing SQL injection attacks. Applying this update will address the issue in the job files report feature. Until the update can be applied, consider restricting access to the Bacula-web interface to trusted users and networks to reduce exposure. [1, 2]