CVE-2023-30552: SQL injection in sql/instance.py endpoint in Archery - GHSL-2022-101
First published: Tue Apr 18 2023(Updated: )
Archery is an open source SQL audit platform. The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases. Affected versions are subject to SQL injection in the `sql/instance.py` endpoint's `describe` method. In several cases, user input coming from the `tb_name` parameter value, the `db_name` parameter value or the `schema_name` value in the `sql/instance.py` `describe` endpoint is passed to the `describe_table` methods in given SQL engine implementations, which concatenate user input unsafely into a SQL query and afterwards pass it to the `query` method of each database engine for execution. Please take into account that in some cases all three parameter values are concatenated, in other only one or two of them. The affected methods are: `describe_table` in `sql/engines/clickhouse.py`which concatenates input which is passed to execution on the database in the `query` method in `sql/engines/clickhouse.py`, `describe_table` in `sql/engines/mssql.py` which concatenates input which is passed to execution on the database in the `query` methods in `sql/engines/mssql.py`, `describe_table` in `sql/engines/mysql.py`which concatenates input which is passed to execution on the database in the `query` method in `sql/engines/mysql.py`, `describe_table` in `sql/engines/oracle.py` which concatenates input which is passed to execution on the database in the `query` methods in `sql/engines/oracle.py`, `describe_table` in `sql/engines/pgsql.py`which concatenates input which is passed to execution on the database in the `query` methods in `sql/engines/pgsql.py`, `describe_table` in `sql/engines/phoenix.py` which concatenates input which is passed to execution on the database in the `query` method in `sql/engines/phoenix.py`. Each of these issues may be mitigated by escaping user input or by using prepared statements when executing SQL queries. This issue is also indexed as `GHSL-2022-101`.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Archerydms Archery | =1.9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2023-30552?
CVE-2023-30552 is a SQL injection vulnerability in the Archery open source SQL audit platform, specifically in the `sql/instance.py` endpoint's `describe` method.
What is the severity of CVE-2023-30552?
The severity of CVE-2023-30552 is medium, with a severity value of 6.5.
How can an attacker exploit CVE-2023-30552?
An attacker can exploit CVE-2023-30552 by using SQL injection techniques to query the connected databases through the vulnerable `sql/instance.py` endpoint's `describe` method.
Which version of Archery is affected by CVE-2023-30552?
Archery version 1.9.0 is affected by CVE-2023-30552.
Is there a fix for CVE-2023-30552?
Yes, it is recommended to upgrade to a version of Archery that is not affected by CVE-2023-30552 or apply the necessary patches provided by the developer.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/author
- agent/references
- agent/last-modified-date
- agent/title
- agent/severity
- agent/first-publish-date
- agent/event
- agent/tags
- agent/description
- vendor/archerydms
- canonical/archerydms archery
- version/archerydms archery/1.9.0