Summary by martindios
A blind boolean-based SQL injection vulnerability was identified in the label parameter of an unauthenticated REST endpoint. By injecting Oracle SQL boolean expressions into the parameter, it was possible to infer query results character by character through the presence or absence of content in the response body.
Using binary search over ASCII values, the database username was successfully extracted without authentication, confirming that arbitrary Oracle SQL expressions were being evaluated server-side. The technique allows enumeration of table names, column names, and row data accessible to the DB user, as well as database version and internal schema information.
The vulnerability was reported through the NASA Vulnerability Disclosure Program on Bugcrowd and has since been resolved by the NASA team.