Skip to main content

Apache lucene query injection

Description

The system generates Apache Lucene queries dynamically, without validating untrusted inputs and without using parameterized statements or stored procedures.

Impact

  • Obtain information linking a user to a Wallet ID.
  • Obtain balances on users accounts.
  • Overwrite files with manipulated information.

Recommendation

Perform database queries through the JSON endpoints provided by Apache Lucene. Additionally, sanitise user input before involving them in queries.

Threat

Unauthorized attacker on the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: H
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 8.2
    • Temporal: 8.2
  • Severity:
    • Base: High
    • Temporal: High

Code Examples

Compliant code

Sanitize user input on the server side and make parameterised queries to the system end points

public static void searchIndex(String userInput, boolean inclusive)
throws IOException, ParseException {
Directory directory = FSDirectory.getDirectory(INDEX_DIRECTORY);
IndexSearcher indexSearcher = new IndexSearcher(directory);
string cleanInput = sanitizeInput(userInput);
Term searchTerm = new Term(FIXED_FIELD, cleanInput);
Query query = new RangeQueryJson(searchTerm, inclusive);
//Use defined JSON Endpoints to make query
Hits hits = indexSearcher.search(query);
displayHits(hits);
}

Non compliant code

//The application uses unsanitized user input to make a query and display possible harmful information

public static void searchIndex(String whichField, String start, String end, boolean inclusive)
throws IOException, ParseException {
Directory directory = FSDirectory.getDirectory(INDEX_DIRECTORY);
IndexSearcher indexSearcher = new IndexSearcher(directory);
Term startTerm = new Term(whichField, start);
Term endTerm = new Term(whichField, end);
Query query = new RangeQuery(startTerm, endTerm, inclusive);
Hits hits = indexSearcher.search_analize(query);
displayHits(hits);
}

Requirements