Security vulnerabilities in SQL Monitor prior to 12.1.54 (CVE-2022-47542)

31st January 2023

Summary

SQL Monitor prior to 12.1.46 configured for Active Directory (LDAP) authentication has an elevation of privilege vulnerability allowing valid, low-privileged users to gain administrative rights in SQL Monitor.

SQL Monitor prior to 12.1.54 also allowed valid, low-privileged users to perform limited actions not granted to their access level.

SQL Monitor version 12.1.54 fixes these vulnerabilities.

What's the risk?

If you use SQL Monitor’s role-based access control, then users with read-only, standard, or reporting privileges could exploit the vulnerability to make changes to SQL Monitor that would normally require a higher level of access.

In versions prior to 12.1.46, using Active Directory (LDAP) authentication only, this included modifying SQL Monitor user rights assignment, allowing escalation to an administrative user of SQL Monitor.

In all cases, only a valid user of SQL Monitor could perform these actions – anonymous or invalid users were not granted access.

The elevation of privilege vulnerability has a CVSS 3.1 score of 7.6 (high). The other vulnerabilities are medium or lower.

How can I resolve this vulnerability

SQL Monitor release 12.1.54 includes full fixes for the issues described in this notice.

SQL Monitor releases 12.1.46 and later, and 11.2.21, include fixes for the elevation of privilege vulnerability.

We recommend you upgrade to the latest release as soon as possible.

Has this vulnerability been exploited?

Redgate has seen no evidence of this vulnerability being exploited in the wild.

The initial vulnerability was discovered during routine penetration testing of SQL Monitor. We conducted further internal testing to discover any similar vulnerabilities.

How does Redgate ensure its products are secure?

All our product teams receive training in secure development practices, and we peer review all code changes. We use extensive suites of automated checks.

Unfortunately, vulnerabilities do occasionally occur. We aim to fix and announce them promptly when we discover them, and provide information on our website when this happens. You can find out more in our product security policy.