CVE-2022-0495 - Vulnerability Details - OpenCVE

The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0043.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Parantezteknoloji	Koha Library Automation

Configuration 1 [-]

cpe:2.3:a:parantezteknoloji:koha_library_automation:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-15632	The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01.

Fixes

Solution

Vulnerable KOHA module should be updated to the 19.05.03.01 version provided by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.usom.gov.tr/bildirim/tr-22-0635

History

Tue, 27 May 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 17 Sep 2024 01:00:00 +0000

Type	Values Removed	Values Added
Description	The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01.	The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01.
Title	SQL Injection in KOHA	SQL Injection in KOHA

MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published: 2022-09-21T08:45:20.355Z

Updated: 2025-05-27T18:21:57.449Z

Reserved: 2022-02-04T00:00:00.000Z

Link: CVE-2022-0495

Vulnrichment

Updated: 2024-08-02T23:32:46.187Z

NVD

Status : Modified

Published: 2022-09-21T09:15:09.187

Modified: 2024-11-21T06:38:46.630

Link: CVE-2022-0495

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Parantez Teknoloji", "vendor": "Parantez Teknoloji", "versions": [{"lessThan": "19.05.03", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Bartu Utku Sarp"}], "datePublic": "2022-09-20T21:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01.</p>"}], "value": "The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01."}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "shortName": "TR-CERT", "dateUpdated": "2023-09-03T15:52:28.115Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.usom.gov.tr/bildirim/tr-22-0635"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Vulnerable KOHA module should be updated to the 19.05.03.01 version provided by the vendor. </p>"}], "value": "Vulnerable KOHA module should be updated to the 19.05.03.01 version provided by the vendor."}], "source": {"advisory": "TR-22-0635", "defect": ["TR-22-0635"], "discovery": "EXTERNAL"}, "title": "SQL Injection in KOHA", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@usom.gov.tr", "DATE_PUBLIC": "2022-09-21T08:00:00.000Z", "ID": "CVE-2022-0495", "STATE": "PUBLIC", "TITLE": "SQL Injection in KOHA"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Parantez Teknoloji", "version": {"version_data": [{"version_affected": "<", "version_value": "19.05.03"}]}}]}, "vendor_name": "Parantez Teknoloji"}]}}, "credit": [{"lang": "eng", "value": "Bartu Utku Sarp"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "references": {"reference_data": [{"name": "https://www.usom.gov.tr/bildirim/tr-22-0635", "refsource": "CONFIRM", "url": "https://www.usom.gov.tr/bildirim/tr-22-0635"}]}, "solution": [{"lang": "en", "value": "Vulnerable KOHA module should be updated to the 19.05.03.01 version provided by the vendor."}], "source": {"advisory": "TR-22-0635", "defect": ["TR-22-0635"], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:32:46.187Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.usom.gov.tr/bildirim/tr-22-0635"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-27T18:21:43.747974Z", "id": "CVE-2022-0495", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-27T18:21:57.449Z"}}]}, "cveMetadata": {"assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "assignerShortName": "TR-CERT", "cveId": "CVE-2022-0495", "datePublished": "2022-09-21T08:45:20.355Z", "dateReserved": "2022-02-04T00:00:00.000Z", "dateUpdated": "2025-05-27T18:21:57.449Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-22-0635", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:32:46.187Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-0495", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-27T18:21:43.747974Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-27T15:46:22.376Z"}}], "cna": {"title": "SQL Injection in KOHA", "source": {"defect": ["TR-22-0635"], "advisory": "TR-22-0635", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Bartu Utku Sarp"}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Parantez Teknoloji", "product": "Parantez Teknoloji", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "19.05.03", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Vulnerable KOHA module should be updated to the 19.05.03.01 version provided by the vendor.", "supportingMedia": [{"type": "text/html", "value": "<p>Vulnerable KOHA module should be updated to the 19.05.03.01 version provided by the vendor. </p>", "base64": false}]}], "datePublic": "2022-09-20T21:00:00.000Z", "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-22-0635", "tags": ["x_refsource_CONFIRM"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01.", "supportingMedia": [{"type": "text/html", "value": "<p>The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "shortName": "TR-CERT", "dateUpdated": "2023-09-03T15:52:28.115Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Bartu Utku Sarp"}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, "source": {"defect": ["TR-22-0635"], "advisory": "TR-22-0635", "discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "19.05.03", "version_affected": "<"}]}, "product_name": "Parantez Teknoloji"}]}, "vendor_name": "Parantez Teknoloji"}]}}, "solution": [{"lang": "en", "value": "Vulnerable KOHA module should be updated to the 19.05.03.01 version provided by the vendor."}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://www.usom.gov.tr/bildirim/tr-22-0635", "name": "https://www.usom.gov.tr/bildirim/tr-22-0635", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-0495", "STATE": "PUBLIC", "TITLE": "SQL Injection in KOHA", "ASSIGNER": "cve@usom.gov.tr", "DATE_PUBLIC": "2022-09-21T08:00:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2022-0495", "state": "PUBLISHED", "dateUpdated": "2025-05-27T18:21:57.449Z", "dateReserved": "2022-02-04T00:00:00.000Z", "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21", "datePublished": "2022-09-21T08:45:20.355Z", "assignerShortName": "TR-CERT"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parantezteknoloji:koha_library_automation:*:*:*:*:*:*:*:*", "matchCriteriaId": "E0536BE0-8CF1-47AB-B054-4F0F488AE5A4", "versionEndExcluding": "19.05.03.01", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01."}, {"lang": "es", "value": "El producto del sistema de automatizaci\u00f3n de bibliotecas KOHA desarrollado por Parantez Teknoloji versiones anteriores a 19.05.03, presenta una vulnerabilidad de inyecci\u00f3n SQL no autenticada. Esto ha sido corregido en versi\u00f3n 19.05.03.01"}], "id": "CVE-2022-0495", "lastModified": "2024-11-21T06:38:46.630", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "iletisim@usom.gov.tr", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Secondary"}]}, "published": "2022-09-21T09:15:09.187", "references": [{"source": "iletisim@usom.gov.tr", "tags": ["Third Party Advisory"], "url": "https://www.usom.gov.tr/bildirim/tr-22-0635"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.usom.gov.tr/bildirim/tr-22-0635"}], "sourceIdentifier": "iletisim@usom.gov.tr", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "iletisim@usom.gov.tr", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Secondary"}]}