CVE-2023-30554

Archery is an open source SQL audit platform. The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases. Affected versions are subject to SQL injection in the `sql_api/api_workflow.py` endpoint `ExecuteCheck` which passes unfiltered input to the `explain_check` method in `sql/engines/oracle.py`. User input coming from the `db_name` parameter value in the `api_workflow.py` `ExecuteCheck` endpoint is passed through the `oracle.py` `execute_check` method and to the `explain_check` method for execution. Each of these issues may be mitigated by escaping user input or by using prepared statements when executing SQL queries. This issue is also indexed as `GHSL-2022-103`.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:archerydms:archery:1.9.0:*:*:*:*:*:*:*

History

21 Nov 2024, 08:00

Type Values Removed Values Added
References () https://github.com/hhyo/Archery/security/advisories/GHSA-3p43-89m6-7x5w - Exploit, Mitigation, Vendor Advisory () https://github.com/hhyo/Archery/security/advisories/GHSA-3p43-89m6-7x5w - Exploit, Mitigation, Vendor Advisory

01 May 2023, 17:17

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
CPE cpe:2.3:a:archerydms:archery:1.9.0:*:*:*:*:*:*:*
References (MISC) https://github.com/hhyo/Archery/security/advisories/GHSA-3p43-89m6-7x5w - (MISC) https://github.com/hhyo/Archery/security/advisories/GHSA-3p43-89m6-7x5w - Exploit, Mitigation, Vendor Advisory

19 Apr 2023, 12:39

Type Values Removed Values Added
New CVE

Information

Published : 2023-04-19 00:15

Updated : 2024-11-21 08:00


NVD link : CVE-2023-30554

Mitre link : CVE-2023-30554

CVE.ORG link : CVE-2023-30554


JSON object : View

Products Affected

archerydms

  • archery
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')