Authenticated Boolean-Based SQL Injection Vulnerability in sort Parameter
search cancel

Authenticated Boolean-Based SQL Injection Vulnerability in sort Parameter

book

Article ID: 396220

calendar_today

Updated On: 05-13-2025

Products

VMware Avi Load Balancer

Issue/Introduction

An authenticated Boolean-Based Blind SQL Injection vulnerability has been identified in the sort parameter of the AVI Load Balancer. This issue allows authenticated users, including those with read-only access, to inject SQL payloads and infer sensitive database information based on the server's responses.

Environment

 

  • Product: AVI Load Balancer

  • Affected Versions: 30.2.1, 30.1.2, 30.2.2, 31.1.1, 31.2.1, 31.1.2

 

Cause

The sort parameter in HTTP requests is vulnerable to unsanitized input, as the application does not properly validate or sanitize user-supplied data before executing SQL queries. This oversight allows attackers to inject malicious payloads, potentially manipulating backend database queries. The root cause lies in improper input handling within the application's HTTP request parsing mechanism, specifically in the sort parameter used for sorting data in the UI.

Resolution

The vulnerability has been addressed in the following fix versions:

  • 30.2.3

  • 31.2.1

  • 31.1.2

  • 31.1.1-2p2

  • 30.2.2-2p5

  • 30.1.2-2p3

Additional Information

Impact

Successful exploitation of this vulnerability could allow:

  • Unauthorized extraction of sensitive database information

  • Potential data modification

  • Bypass of access controls

  • Data leakage or system compromise depending on configuration

 

Powered by Wolken Software