CVE-2023-43640: TaxonWorks SQL injection vulnerability
First published: Fri Sep 22 2023(Updated: )
TaxonWorks is a web-based workbench designed for taxonomists and biodiversity scientists. Prior to version 0.34.0, a SQL injection vulnerability was found in TaxonWorks that allows authenticated attackers to extract arbitrary data from the TaxonWorks database (including the users table). This issue may lead to information disclosure. Version 0.34.0 contains a fix for the issue.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Taxonworks | <0.34.0 |
Remedy
https://github.com/SpeciesFileGroup/taxonworks/commit/a98f2dc610a541678e1e51af47659cd8b30179ae
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2023-43640.
What is TaxonWorks?
TaxonWorks is a web-based workbench designed for taxonomists and biodiversity scientists.
What is the severity of CVE-2023-43640?
The severity of CVE-2023-43640 is medium with a severity value of 6.5.
How does the SQL injection vulnerability in TaxonWorks affect the system?
The SQL injection vulnerability allows authenticated attackers to extract arbitrary data from the TaxonWorks database, including the users table.
How can I fix CVE-2023-43640?
To fix CVE-2023-43640, it is recommended to upgrade to TaxonWorks version 0.34.0 or higher.
- agent/references
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/title
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/speciesfilegroup
- canonical/taxonworks