CVE-2022-48592: 
ScienceLogic SL1 Agent vulnerability analysis and mitigation

A SQL injection vulnerability (CVE-2022-48592) was discovered in ScienceLogic SL1's vendor print report feature, specifically in the vendor_country parameter. The vulnerability was identified in versions 11.1.2 and earlier of the software. The issue was initially reported to the vendor on September 6, 2022, and was publicly disclosed on August 9, 2023, after a complex disclosure process involving the vendor's legal team (Securifera Advisory).

The vulnerability stems from unsanitized user-controlled input in the vendor_country parameter that is directly passed to a SQL query, enabling arbitrary SQL injection attacks. The vulnerability has been assigned a CVSS 3.1 score of 8.8 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact potential across confidentiality, integrity, and availability (Securifera Advisory).

The SQL injection vulnerability allows attackers to execute arbitrary SQL commands against the database, potentially leading to unauthorized access to sensitive data, manipulation of database contents, and compromise of system integrity. The high CVSS score reflects the significant potential impact on system confidentiality, integrity, and availability (Securifera Advisory).

The primary mitigation strategy is to update to a version newer than ScienceLogic SL1 11.1.2. This recommendation comes directly from the security advisory following the vulnerability's disclosure (Securifera Advisory).

The disclosure process for this vulnerability was notably complex, with the vendor initially refusing CVE issuance and disclosure on October 28, 2022. The vendor's legal team strongly advised against disclosing to MITRE, leading to a delayed public disclosure that finally occurred on August 9, 2023 (Securifera Advisory).