Timeline:
Vulnerability reported to vendor: 07.11.2022
New fixed build 1625: 02.03.2023
Disclosure: 04.08.2023
CVE Numbers assigned: 31.01.2024 CVE-2022-47072 https://www.cve.org/CVERecord?id=CVE-2022-47072
Acknowledgements: Maksymilian Kubiak, Sławomir Zakrzewski
Affected Products:
Enterprise-Architect v.16.0.1605(Build: 1605) - 32 bit
Proof of Concept
Additional SQL queries can be injected into Find field within Select Classifier functionality.
Below are the steps required to recreate the vulnerability:
Press the Search(1) button then chose Browse for Diagram(2):
In the newly opened window pick Search(1) functionality and in the Find(2) form paste the following payload:
‘union select null,password,null,null,Userlogin,null,null,null,null from t_secuser;--
In the search results(3), all users of the application and the password for the admin account were returned.
As the databases structure differs, simplier payload can be used:
‘union select null,@@version,null,null,null,null,null,null,null;--
Search results will return the version of the database used.
Additional Info
According to vendor, passwords were stored in plaintext within "t_secuser" table in older versions of EA.
From EA 11 onward passwords are stored in t_xref as hashes using SHA-256 hashing algorithm.
Personally, I think that the occurence of plaintext passwords in version 16.0.1605 must be caused by an upgrade from a older version.
It is surely worth checking if you own an instance of Enterprise Architect or if you are testing one.
Vendor fixed the vulnerability within 1625 build but labeled it in changelog as "Select Dialog 'Search' tab now allows finding elements containing an apostrophe" .
This is a manifestation of either ignorance or a deliberate action aimed at hiding the error from the users.
Reference: https://sparxsystems.com.au/products/ea/history.html#1625