Lucene search

[email protected]NVD:CVE-2023-30556

HistoryApr 19, 2023 - 12:15 a.m.

CVE-2023-30556

2023-04-1900:15:09

CWE-89

[email protected]

web.nvd.nist.gov

archery

sql

injection

vulnerabilities

optimize_sqltuningadvisor

db_name

oracle.py

prepared statements

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

33.8%

JSON

Archery is an open source SQL audit platform. The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases. Affected versions are subject to SQL injection in the optimize_sqltuningadvisor method of sql_optimize.py. User input coming from the db_name parameter value in sql_optimize.py is passed to the sqltuningadvisor method in oracle.pyfor execution. To mitigate escape the variables accepted via user input when used in sql_optimize.py. Users may also use prepared statements when dealing with SQL as a mitigation for this issue. This issue is also indexed as GHSL-2022-107.

Affected configurations

Nvd

Node

archerydmsarcheryMatch1.9.0

VendorProductVersionCPE
archerydmsarchery1.9.0cpe:2.3:a:archerydms:archery:1.9.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
archerydms	archery	1.9.0	cpe:2.3:a:archerydms:archery:1.9.0:::::::*

References

github.com/hhyo/Archery/security/advisories/GHSA-6pv9-9gq7-hr68

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

33.8%

JSON

Related for NVD:CVE-2023-30556

cvelist1 cve1 osv1 prion1