CVE-2022-43437 - Vulnerability Details - OpenCVE

Description

The Download function’s parameter of EasyTest has insufficient validation for user input. A remote attacker authenticated as a general user can inject arbitrary SQL command to access, modify or delete database.

Published: 2023-01-03

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

HWA JIUH DIGITAL TECHNOLOGY LTD.

EasyTest

affected

Version	Status	Constraints
`17L18S`	affected	—

Configuration 1 [-]

cpe:2.3:a:easy_test_project:easy_test:17l18s:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Update Easytest version to v.22I26

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-46440	The Download function’s parameter of EasyTest has insufficient validation for user input. A remote attacker authenticated as a general user can inject arbitrary SQL command to access, modify or delete database.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00933.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.twcert.org.tw/tw/cp-132-6829-11133-1.html

History

Thu, 10 Apr 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Subscriptions

Easy Test Project Easy Test

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2023-01-03T00:00:00.000Z

Updated: 2025-04-10T16:46:55.622Z

Reserved: 2022-10-19T00:00:00.000Z

Link: CVE-2022-43437

Vulnrichment

Updated: 2024-08-03T13:32:58.976Z

NVD

Status : Modified

Published: 2023-01-03T03:15:10.187

Modified: 2026-06-17T05:06:32.463

Link: CVE-2022-43437

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-43437", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "dateUpdated": "2025-04-10T16:46:55.622Z", "dateReserved": "2022-10-19T00:00:00.000Z", "datePublished": "2023-01-03T00:00:00.000Z"}, "containers": {"cna": {"title": "HWA JIUH DIGITAL TECHNOLOGY LTD. EasyTest - SQL Injection", "datePublic": "2022-12-30T00:00:00.000Z", "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2023-01-03T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "The Download function\u2019s parameter of EasyTest has insufficient validation for user input. A remote attacker authenticated as a general user can inject arbitrary SQL command to access, modify or delete database."}], "affected": [{"vendor": "HWA JIUH DIGITAL TECHNOLOGY LTD.", "product": "EasyTest", "versions": [{"version": "17L18S", "status": "affected"}]}], "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-6829-11133-1.html"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-89 SQL Injection", "cweId": "CWE-89"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"advisory": "TVN-202212002", "discovery": "EXTERNAL"}, "solutions": [{"lang": "en", "value": "Update Easytest version to v.22I26"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:32:58.976Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-6829-11133-1.html", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-10T16:46:37.791313Z", "id": "CVE-2022-43437", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T16:46:55.622Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-6829-11133-1.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:32:58.976Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-43437", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-10T16:46:37.791313Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T16:46:50.297Z"}}], "cna": {"title": "HWA JIUH DIGITAL TECHNOLOGY LTD. EasyTest - SQL Injection", "source": {"advisory": "TVN-202212002", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "HWA JIUH DIGITAL TECHNOLOGY LTD.", "product": "EasyTest", "versions": [{"status": "affected", "version": "17L18S"}]}], "solutions": [{"lang": "en", "value": "Update Easytest version to v.22I26"}], "datePublic": "2022-12-30T00:00:00.000Z", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-6829-11133-1.html"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "The Download function\u2019s parameter of EasyTest has insufficient validation for user input. A remote attacker authenticated as a general user can inject arbitrary SQL command to access, modify or delete database."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 SQL Injection"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2023-01-03T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-43437", "state": "PUBLISHED", "dateUpdated": "2025-04-10T16:46:55.622Z", "dateReserved": "2022-10-19T00:00:00.000Z", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "datePublished": "2023-01-03T00:00:00.000Z", "assignerShortName": "twcert"}, "dataVersion": "5.1"}

{"affected": [{"affectedData": [{"product": "EasyTest", "vendor": "HWA JIUH DIGITAL TECHNOLOGY LTD.", "versions": [{"status": "affected", "version": "17L18S"}]}], "source": "twcert@cert.org.tw"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:easy_test_project:easy_test:17l18s:*:*:*:*:*:*:*", "matchCriteriaId": "61A9C215-C21E-4A3F-9854-4C9E599B01FB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Download function\u2019s parameter of EasyTest has insufficient validation for user input. A remote attacker authenticated as a general user can inject arbitrary SQL command to access, modify or delete database."}, {"lang": "es", "value": "El par\u00e1metro de la funci\u00f3n Download de EasyTest no tiene validaci\u00f3n suficiente para la entrada del usuario. Un atacante remoto autenticado como usuario general puede inyectar un comando SQL arbitrario para acceder, modificar o eliminar la base de datos."}], "id": "CVE-2022-43437", "lastModified": "2026-06-17T05:06:32.463", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "twcert@cert.org.tw", "type": "Secondary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2022-43437", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "total"}], "role": "CISA Coordinator", "timestamp": "2025-04-10T16:46:37.791313Z", "version": "2.0.3"}}]}, "published": "2023-01-03T03:15:10.187", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-6829-11133-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-6829-11133-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "twcert@cert.org.tw", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}