In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00758.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Cyrusimap
  • Cyrus-sasl
Debian
  • Debian Linux
Fedoraproject
  • Fedora
Netapp
  • Active Iq Unified Manager
  • Ontap Select Deploy Administration Utility
Oracle
  • Communications Cloud Native Core Console
  • Communications Cloud Native Core Network Function Cloud Native Environment
  • Communications Cloud Native Core Security Edge Protection Proxy
Redhat
  • Enterprise Linux
  • Integration
  • Rhel E4s
  • Rhel Els
  • Rhel Eus
  • Rhev Hypervisor

Configuration 1 [-]

cpe:2.3:a:cyrusimap:cyrus-sasl:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

Configuration 4 [-]

OR cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_console:22.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 6 Extended Lifecycle Support
cyrus-sasl-0:2.1.23-16.el6_10 cpe:/o:redhat:rhel_els:6 RHSA-2022:0780 2022-03-08T00:00:00Z
Red Hat Enterprise Linux 7
cyrus-sasl-0:2.1.26-24.el7_9 cpe:/o:redhat:enterprise_linux:7 RHSA-2022:0666 2022-02-24T00:00:00Z
Red Hat Enterprise Linux 8
cyrus-sasl-0:2.1.27-6.el8_5 cpe:/a:redhat:enterprise_linux:8 RHSA-2022:0658 2022-02-23T00:00:00Z
cyrus-sasl-0:2.1.27-6.el8_5 cpe:/o:redhat:enterprise_linux:8 RHSA-2022:0658 2022-02-23T00:00:00Z
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions
cyrus-sasl-0:2.1.27-2.el8_1 cpe:/a:redhat:rhel_e4s:8.1 RHSA-2022:0730 2022-03-02T00:00:00Z
Red Hat Enterprise Linux 8.2 Extended Update Support
cyrus-sasl-0:2.1.27-2.el8_2 cpe:/a:redhat:rhel_eus:8.2 RHSA-2022:0731 2022-03-02T00:00:00Z
Red Hat Enterprise Linux 8.4 Extended Update Support
cyrus-sasl-0:2.1.27-6.el8_4 cpe:/a:redhat:rhel_eus:8.4 RHSA-2022:0668 2022-02-24T00:00:00Z
Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
redhat-virtualization-host-0:4.3.22-20220330.1.el7_9 cpe:/o:redhat:enterprise_linux:7::hypervisor RHSA-2022:1263 2022-04-07T00:00:00Z
Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
redhat-virtualization-host-0:4.4.10-202203101736_8.5 cpe:/o:redhat:rhev_hypervisor:4.4::el8 RHSA-2022:0841 2022-03-14T00:00:00Z
RHINT Camel-K 1.6.4
cpe:/a:redhat:integration:1 RHSA-2022:1029 2022-03-23T00:00:00Z

No data.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-2931-1 cyrus-sasl2 security update
Debian DSA Debian DSA DSA-5087-1 cyrus-sasl2 security update
EUVD EUVD EUVD-2022-29299 In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.
Ubuntu USN Ubuntu USN USN-5301-1 Cyrus SASL vulnerability
Ubuntu USN Ubuntu USN USN-5301-2 Cyrus SASL vulnerability
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
http://www.openwall.com/lists/oss-security/2022/02/23/4 cve-icon cve-icon
https://github.com/cyrusimap/cyrus-sasl/blob/fdcd13ceaef8de684dc69008011fa865c5b4a3ac/docsrc/sasl/release-notes/2.1/index.rst cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2022/03/msg00002.html cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4FIXU75Q6RBNK6UYM7MQ3TCFGXR7AX4U/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H26R4SMGM3WHXX4XYNNJB4YGFIL5UNF4/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZC6BMPI3V3MC2IGNLN377ETUWO7QBIH/ cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2022-24407 cve-icon
https://security.netapp.com/advisory/ntap-20221007-0003/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2022-24407 cve-icon
https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28 cve-icon cve-icon cve-icon
https://www.debian.org/security/2022/dsa-5087 cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujul2022.html cve-icon cve-icon
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00632}

 epss

{'score': 0.00649}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00564}

 epss

{'score': 0.00632}
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-03T04:13:55.263Z

Reserved: 2022-02-04T00:00:00

Link: CVE-2022-24407

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-02-24T15:15:29.350

Modified: 2024-11-21T06:50:21.343

Link: CVE-2022-24407

cve-icon Redhat

Severity : Important

Publid Date: 2022-02-22T18:00:00Z

Links: CVE-2022-24407 - Bugzilla

cve-icon OpenCVE Enrichment

No data.