AWS.WAF.Client.Scientific.Notation.SQL.Injection
Description
Amazon Web Services (AWS) has a product named CloudFront that can be combined with AWS WAF with predefined rules that help companies protect their web applications from intrusion. However, during an engagement, we found out that the rule “SQL Database” in AWS WAF could be bypassed with the bug shown in the previous section.
Affected Products
MySQL
MariaDB
Impact
System Compromise: Remote attackers can process sql injection on vulnerable systems.
Recommended Actions
The vendor has not released an advisory or patch regarding this vulnerability.
https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/
Version Updates
Date | Version | Detail |
---|---|---|
2022-09-15 | 0.00328 |