CVE-2023-39122: 
Control-M vulnerability analysis and mitigation

CVE-2023-39122 is a SQL injection vulnerability affecting BMC Control-M software versions through 9.0.20.200. The vulnerability was discovered in July 2023 and allows attackers to perform SQL injection attacks via the report-id parameter at the /RF-Server/report/deleteReport endpoint. The issue has been fixed in version 9.0.21 and through a patch for version 9.0.20.200 (NVD CVE, Dojo Advisory).

The vulnerability is classified as a CWE-89 (SQL Injection) type weakness. It has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that it is a network-exploitable vulnerability requiring no privileges or user interaction to exploit, and can result in high impact to confidentiality, integrity, and availability (NVD CVE).

The SQL injection vulnerability allows attackers to execute arbitrary SQL commands through the report-id parameter. Given the CVSS score of 9.8, successful exploitation could lead to complete compromise of the system's confidentiality, integrity, and availability. The unauthenticated nature of the vulnerability makes it particularly severe (NVD CVE, Dojo Advisory).

The vulnerability has been fixed in BMC Control-M version 9.0.21. For users running version 9.0.20.200, a patch is available to address the vulnerability. Organizations are advised to upgrade to version 9.0.21 or apply the available patch for version 9.0.20.200 (NVD CVE).