CVE-2022-48591: 
ScienceLogic SL1 Agent vulnerability analysis and mitigation

A SQL injection vulnerability was discovered in the ScienceLogic SL1 platform's "vendor print report" feature, identified as CVE-2022-48591. The vulnerability was found in versions 11.1.2 and earlier, where unsanitized user-controlled input in the vendor_state parameter is passed directly to a SQL query. The vulnerability was initially reported to the vendor on September 6, 2022, and was publicly disclosed on August 9, 2023 (Securifera Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 8.8 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability is network accessible, requires low attack complexity, needs low privileges, requires no user interaction, and has high impacts on confidentiality, integrity, and availability (Securifera Advisory).

The SQL injection vulnerability allows attackers to inject arbitrary SQL commands that are executed against the database. This could potentially lead to unauthorized access to sensitive data, modification of database contents, and potential disruption of service operations (Securifera Advisory).

Users are advised to update to the latest version of ScienceLogic SL1 beyond version 11.1.2 to address this vulnerability (Securifera Advisory).

The disclosure process faced significant resistance from the vendor, who initially refused CVE issuance and disclosure. The vendor hired a law firm to manage the disclosure process, and their legal team strongly advised against disclosing to MITRE. Despite these objections, the vulnerability was eventually publicly disclosed (Securifera Advisory).