PatchSiren

PatchSiren cyber security CVE debrief

CVE-2022-0495 Parantez Teknoloji CVE debrief

An unauthenticated SQL injection vulnerability in KOHA Library Automation System versions prior to 19.05.03.01 allows remote attackers to execute arbitrary SQL commands without authentication. The vulnerability was publicly disclosed on September 21, 2022, with a critical CVSS 3.1 score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L). The Turkish National Cyber Security Incident Response Center (USOM) issued advisory TR-22-0635 documenting this issue. Parantez Teknoloji released version 19.05.03.01 to remediate the vulnerability. Organizations running affected versions should upgrade immediately, as unauthenticated SQL injection enables complete database compromise including data exfiltration, modification, and potential authentication bypass.

Vendor
Parantez Teknoloji
Product
Unknown
CVSS
CRITICAL 9.4
CISA KEV
Not listed in stored evidence
Original CVE published
2022-09-21
Original CVE updated
2026-05-20
Advisory published
2022-09-21
Advisory updated
2026-05-20

Who should care

Organizations using KOHA Library Automation System for library management, particularly academic and public libraries in Turkey and regions where KOHA is deployed. System administrators and security teams responsible for library automation infrastructure.

Technical summary

Unauthenticated SQL injection in KOHA Library Automation System versions before 19.05.03.01. Remote attackers can execute arbitrary SQL commands without authentication. Fixed in version 19.05.03.01. CVSS 3.1: 9.4 Critical.

Defensive priority

critical

Recommended defensive actions

  • Upgrade KOHA Library Automation System to version 19.05.03.01 or later immediately
  • If immediate patching is not possible, restrict network access to KOHA administrative interfaces to trusted IP ranges only
  • Review database access logs for suspicious SQL queries from 2022-09-21 onward
  • Validate input sanitization on all KOHA endpoints after patching
  • Monitor for unauthorized database modifications or unexpected data access patterns

Evidence notes

CVE published 2022-09-21; modified 2026-05-20. USOM advisory TR-22-0635 provides third-party confirmation. CPE confirms affected versions exclude 19.05.03.01. CVSS vector confirms network attack vector with no privileges required.

Official resources

2022-09-21