Image Converter Service Vulnerability Allows Hackers to Access Database

CVECVE-2023-26454
CVSScvssV3_1: 7.6
SourceCVE-2023-26454

An SQL injection vulnerability was discovered in the Image Converter Service that could allow hackers to execute arbitrary SQL statements on the database.

The Image Converter Service is used to convert and retrieve metadata for images. However, requests to fetch image metadata could be abused to include malicious SQL queries that would run without validation.

Attackers on adjacent private networks could potentially exploit this to run their own SQL commands as the database user. This would give them access to sensitive data like user accounts.

No public exploits are known yet, but left unpatched, it could allow hackers to access passwords, emails and other private user information stored in the database.

The good news is that the Image Converter Service is not directly exposed to the public internet by default. However, organizations using it internally should ensure their networks are properly secured.

The developers have now added input validation and logging to prevent SQL injection attacks. Users are advised to update to the latest version as soon as possible to protect their data. Regular security updates are also recommended to stay protected from any newly discovered vulnerabilities.

References