CVE-2024-46636
SQL Injection in NASA EOSDIS MODAPS v8.1 Category Parameter
Publication date: 2026-04-27
Last updated on: 2026-04-28
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nasa | eosdis_modaps | 8.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability is a SQL injection in the category parameter of NASA EOSDIS MODAPS v8.1. This type of vulnerability can allow an attacker to manipulate the database queries executed by the system, potentially leading to unauthorized data access, data modification, or data deletion.
Can you explain this vulnerability to me?
The vulnerability in NASA Earth Observing System Data and Information System (EOSDIS) MODAPS v8.1 is a SQL injection issue found in the category parameter.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2024-46636 vulnerability is a SQL injection flaw that allows attackers to potentially access sensitive data without authorization by manipulating backend SQL queries.
Such unauthorized access to sensitive data can lead to violations of data protection regulations and standards such as GDPR and HIPAA, which require strict controls to protect personal and sensitive information.
Therefore, if exploited, this vulnerability could compromise compliance with these regulations by exposing or allowing manipulation of protected data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the `category` HTTP GET parameter of the MODAPS web application for SQL injection flaws. Since the issue involves improper input validation allowing manipulation of backend SQL queries, sending specially crafted input to the `category` parameter and observing error-based SQL injection responses can help identify the vulnerability.
While no specific exploit code or proof-of-concept is provided, typical detection commands might include using tools like curl or sqlmap to test the parameter. For example, a curl command to test the parameter could be:
- curl "http://<target>/modaps?category=' OR '1'='1"
- Or using sqlmap to automate detection: sqlmap -u "http://<target>/modaps?category=test" --risk=3 --level=5
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the vendor's fix as the vulnerability has been confirmed and fixed by the vendor. Until the patch is applied, restricting access to the vulnerable MODAPS web application and implementing web application firewall (WAF) rules to block suspicious SQL injection attempts targeting the `category` parameter can help reduce risk.
Additionally, reviewing and sanitizing all user inputs, especially the `category` HTTP GET parameter, to ensure proper validation and parameterized queries are used will prevent exploitation.