CVE-2023-45684: 
CFEngine vulnerability analysis and mitigation

Northern.tech CFEngine Enterprise before version 3.21.3 contains a SQL injection vulnerability in the Mission Portal login page. The vulnerability was discovered in version 3.6.0 and affects all versions up to 3.21.3. Fixed versions are 3.18.6 and 3.21.3 (NVD).

The vulnerability exists in the Mission Portal login page of the CFEngine hub. It has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'). While the queried results are not directly visible in the server's response to the API request, attackers can craft special queries using logical conditions combined with PG_SLEEP function to perform time-based blind SQL injection attacks (Vendor Advisory).

The vulnerability allows attackers to extract the contents of the entire underlying database through time-based blind SQL injection techniques. This includes access to sensitive information such as access tokens and salted password hashes stored in the database (Vendor Advisory).

Users are strongly recommended to upgrade to CFEngine Enterprise versions 3.18.6 or 3.21.3, which contain the necessary security fixes. The vulnerability only affects the CFEngine hub, so installing the updated hub package is sufficient for remediation (Vendor Advisory).