CVE-2022-0495 (GCVE-0-2022-0495)
Vulnerability from cvelistv5 – Published: 2022-09-21 08:45 – Updated: 2025-05-27 18:21
VLAI?
Title
SQL Injection in KOHA
Summary
The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01.
Severity ?
9.4 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Parantez Teknoloji | Parantez Teknoloji |
Affected:
unspecified , < 19.05.03
(custom)
|
Date Public ?
2022-09-20 21:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:32:46.187Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.usom.gov.tr/bildirim/tr-22-0635"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-0495",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-27T18:21:43.747974Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T18:21:57.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Parantez Teknoloji",
"vendor": "Parantez Teknoloji",
"versions": [
{
"lessThan": "19.05.03",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Bartu Utku Sarp"
}
],
"datePublic": "2022-09-20T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01.\u003c/p\u003e"
}
],
"value": "The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-03T15:52:28.115Z",
"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"shortName": "TR-CERT"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.usom.gov.tr/bildirim/tr-22-0635"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVulnerable KOHA module should be updated to the 19.05.03.01 version provided by the vendor. \u003c/p\u003e"
}
],
"value": "Vulnerable KOHA module should be updated to the 19.05.03.01 version provided by the vendor."
}
],
"source": {
"advisory": "TR-22-0635",
"defect": [
"TR-22-0635"
],
"discovery": "EXTERNAL"
},
"title": "SQL Injection in KOHA",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@usom.gov.tr",
"DATE_PUBLIC": "2022-09-21T08:00:00.000Z",
"ID": "CVE-2022-0495",
"STATE": "PUBLIC",
"TITLE": "SQL Injection in KOHA"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Parantez Teknoloji",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "19.05.03"
}
]
}
}
]
},
"vendor_name": "Parantez Teknoloji"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Bartu Utku Sarp"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.usom.gov.tr/bildirim/tr-22-0635",
"refsource": "CONFIRM",
"url": "https://www.usom.gov.tr/bildirim/tr-22-0635"
}
]
},
"solution": [
{
"lang": "en",
"value": "Vulnerable KOHA module should be updated to the 19.05.03.01 version provided by the vendor."
}
],
"source": {
"advisory": "TR-22-0635",
"defect": [
"TR-22-0635"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"assignerShortName": "TR-CERT",
"cveId": "CVE-2022-0495",
"datePublished": "2022-09-21T08:45:20.355Z",
"dateReserved": "2022-02-04T00:00:00.000Z",
"dateUpdated": "2025-05-27T18:21:57.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-0495",
"date": "2026-04-25",
"epss": "0.0041",
"percentile": "0.6137"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:parantezteknoloji:koha_library_automation:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"19.05.03.01\", \"matchCriteriaId\": \"E0536BE0-8CF1-47AB-B054-4F0F488AE5A4\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01.\"}, {\"lang\": \"es\", \"value\": \"El producto del sistema de automatizaci\\u00f3n de bibliotecas KOHA desarrollado por Parantez Teknoloji versiones anteriores a 19.05.03, presenta una vulnerabilidad de inyecci\\u00f3n SQL no autenticada. Esto ha sido corregido en versi\\u00f3n 19.05.03.01\"}]",
"id": "CVE-2022-0495",
"lastModified": "2024-11-21T06:38:46.630",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"iletisim@usom.gov.tr\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\", \"baseScore\": 9.4, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.5}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
"published": "2022-09-21T09:15:09.187",
"references": "[{\"url\": \"https://www.usom.gov.tr/bildirim/tr-22-0635\", \"source\": \"iletisim@usom.gov.tr\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.usom.gov.tr/bildirim/tr-22-0635\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "iletisim@usom.gov.tr",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"iletisim@usom.gov.tr\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-0495\",\"sourceIdentifier\":\"iletisim@usom.gov.tr\",\"published\":\"2022-09-21T09:15:09.187\",\"lastModified\":\"2024-11-21T06:38:46.630\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01.\"},{\"lang\":\"es\",\"value\":\"El producto del sistema de automatizaci\u00f3n de bibliotecas KOHA desarrollado por Parantez Teknoloji versiones anteriores a 19.05.03, presenta una vulnerabilidad de inyecci\u00f3n SQL no autenticada. Esto ha sido corregido en versi\u00f3n 19.05.03.01\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"iletisim@usom.gov.tr\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":9.4,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":5.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"iletisim@usom.gov.tr\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:parantezteknoloji:koha_library_automation:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"19.05.03.01\",\"matchCriteriaId\":\"E0536BE0-8CF1-47AB-B054-4F0F488AE5A4\"}]}]}],\"references\":[{\"url\":\"https://www.usom.gov.tr/bildirim/tr-22-0635\",\"source\":\"iletisim@usom.gov.tr\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.usom.gov.tr/bildirim/tr-22-0635\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.usom.gov.tr/bildirim/tr-22-0635\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T23:32:46.187Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-0495\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-27T18:21:43.747974Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-27T15:46:22.376Z\"}}], \"cna\": {\"title\": \"SQL Injection in KOHA\", \"source\": {\"defect\": [\"TR-22-0635\"], \"advisory\": \"TR-22-0635\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Bartu Utku Sarp\"}], \"impacts\": [{\"capecId\": \"CAPEC-66\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-66 SQL Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Parantez Teknoloji\", \"product\": \"Parantez Teknoloji\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"19.05.03\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Vulnerable KOHA module should be updated to the 19.05.03.01 version provided by the vendor.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eVulnerable KOHA module should be updated to the 19.05.03.01 version provided by the vendor. \u003c/p\u003e\", \"base64\": false}]}], \"datePublic\": \"2022-09-20T21:00:00.000Z\", \"references\": [{\"url\": \"https://www.usom.gov.tr/bildirim/tr-22-0635\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"ca940d4e-fea4-4aa2-9a58-591a58b1ce21\", \"shortName\": \"TR-CERT\", \"dateUpdated\": \"2023-09-03T15:52:28.115Z\"}, \"x_legacyV4Record\": {\"credit\": [{\"lang\": \"eng\", \"value\": \"Bartu Utku Sarp\"}], \"impact\": {\"cvss\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, \"source\": {\"defect\": [\"TR-22-0635\"], \"advisory\": \"TR-22-0635\", \"discovery\": \"EXTERNAL\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"19.05.03\", \"version_affected\": \"\u003c\"}]}, \"product_name\": \"Parantez Teknoloji\"}]}, \"vendor_name\": \"Parantez Teknoloji\"}]}}, \"solution\": [{\"lang\": \"en\", \"value\": \"Vulnerable KOHA module should be updated to the 19.05.03.01 version provided by the vendor.\"}], \"data_type\": \"CVE\", \"generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"references\": {\"reference_data\": [{\"url\": \"https://www.usom.gov.tr/bildirim/tr-22-0635\", \"name\": \"https://www.usom.gov.tr/bildirim/tr-22-0635\", \"refsource\": \"CONFIRM\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-89 SQL Injection\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-0495\", \"STATE\": \"PUBLIC\", \"TITLE\": \"SQL Injection in KOHA\", \"ASSIGNER\": \"cve@usom.gov.tr\", \"DATE_PUBLIC\": \"2022-09-21T08:00:00.000Z\"}}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-0495\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-27T18:21:57.449Z\", \"dateReserved\": \"2022-02-04T00:00:00.000Z\", \"assignerOrgId\": \"ca940d4e-fea4-4aa2-9a58-591a58b1ce21\", \"datePublished\": \"2022-09-21T08:45:20.355Z\", \"assignerShortName\": \"TR-CERT\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…