Lucene search

GitHub_MCVELIST:CVE-2023-30556

HistoryApr 18, 2023 - 10:35 p.m.

CVE-2023-30556 SQL injection in sql_optimize.py optimize_sqltuningadvisor method in Archery - GHSL-2022-107

2023-04-1822:35:38

CWE-89

GitHub_M

www.cve.org

cve-2023-30556; archery; sql injection; open source; sql audit platform; vulnerability; optimize_sqltuningadvisor method; db_name parameter; sql_optimize.py; oracle.py; prepared statements; ghsl-2022-107

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

33.8%

JSON

Archery is an open source SQL audit platform. The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases. Affected versions are subject to SQL injection in the optimize_sqltuningadvisor method of sql_optimize.py. User input coming from the db_name parameter value in sql_optimize.py is passed to the sqltuningadvisor method in oracle.pyfor execution. To mitigate escape the variables accepted via user input when used in sql_optimize.py. Users may also use prepared statements when dealing with SQL as a mitigation for this issue. This issue is also indexed as GHSL-2022-107.

CNA Affected

[
  {
    "vendor": "hhyo",
    "product": "Archery",
    "versions": [
      {
        "version": "<= 1.9.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/hhyo/Archery/security/advisories/GHSA-6pv9-9gq7-hr68

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

33.8%

JSON

Related for CVELIST:CVE-2023-30556