CVE-2022-24124: 
vulnerability analysis and mitigation

The CVE-2022-24124 vulnerability was discovered in Casdoor versions up to and including 1.13.0. The vulnerability is related to SQL injection in the field filter functionality, where the query API's field and value parameters could be exploited to perform SQL injection attacks (GitHub Issue, GitHub PR).

The vulnerability exists in the query API where user input from the field and value parameters was directly inserted into raw SQL expressions without proper sanitization. The vulnerable code used string formatting to construct SQL queries: session.And(fmt.Sprintf("%s like ?", util.SnakeString(field))). This allowed attackers to inject malicious SQL code through the field parameter. The /api/get-organizations endpoint was publicly accessible, making the vulnerability exploitable by unauthenticated users (GitHub Issue).

The vulnerability could allow attackers to perform SQL injection attacks against the affected Casdoor installations. Through this vulnerability, attackers could potentially extract sensitive information from the database, as demonstrated by a proof of concept that was able to retrieve database user information (GitHub Issue).

The vulnerability was fixed in Casdoor version 1.13.1. The fix implemented input validation to ensure the field parameter only contains alphanumeric characters, effectively preventing SQL injection attempts (GitHub PR). Users should upgrade to version 1.13.1 or later to address this vulnerability.