PatchSiren cyber security CVE debrief
CVE-2022-2315 Database Software CVE debrief
A critical unauthenticated SQL injection vulnerability exists in Databank's Accreditation Tracking/Presentation Module prior to version 2. The vulnerability allows remote attackers to execute arbitrary SQL commands without authentication, potentially leading to complete database compromise. The CVSS 3.1 score of 9.4 reflects network attack vector, low attack complexity, no privileges required, no user interaction needed, and high impact to confidentiality and integrity with low availability impact. The vulnerability was publicly disclosed on September 21, 2022, and remains actively tracked with a status of 'Modified' as of May 20, 2026. No known exploitation in ransomware campaigns has been documented. The Turkish National Cyber Security Incident Response Team (USOM) issued advisory TR-22-0634 providing third-party guidance on this issue.
- Vendor
- Database Software
- Product
- Unknown
- CVSS
- CRITICAL 9.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2022-09-21
- Original CVE updated
- 2026-05-20
- Advisory published
- 2022-09-21
- Advisory updated
- 2026-05-20
Who should care
Organizations running Databank Accreditation Tracking/Presentation Module versions below 2, particularly those with internet-facing deployments. Database administrators, application security teams, and compliance officers responsible for accreditation systems should prioritize patching.
Technical summary
Unauthenticated SQL injection vulnerability in Databank Accreditation Tracking/Presentation Module versions prior to 2. Attackers can send crafted HTTP requests to inject malicious SQL statements without authentication. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements in SQL Command). Network-accessible instances are at highest risk. The fix in version 2 properly sanitizes or parameterizes SQL queries to prevent injection attacks.
Defensive priority
critical
Recommended defensive actions
- Upgrade Databank Accreditation Tracking/Presentation Module to version 2 or later immediately
- If immediate patching is not possible, restrict network access to the application to authorized administrative hosts only
- Monitor database query logs for anomalous SQL patterns including UNION-based injections, boolean-based blind injections, or time-based delays
- Implement Web Application Firewall (WAF) rules to detect and block common SQL injection payloads targeting the application
- Review database user privileges and ensure the application database account operates with least privilege principles
- Conduct database integrity verification and review for unauthorized modifications if compromise is suspected
Evidence notes
Official vulnerability databases (NVD, CVE.org) and Turkish USOM advisory TR-22-0634 confirm this as an unauthenticated SQL injection (CWE-89) in Databank Accreditation Tracking/Presentation Module versions prior to 2. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L.
Official resources
-
CVE-2022-2315 CVE record
CVE.org
-
CVE-2022-2315 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
2022-09-21