Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-30556: SQL injection in sql_optimize.py optimize_sqltuningadvisor method GHSL-2022-107

Archery is an open source SQL audit platform. The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases. Affected versions are subject to SQL injection in the optimize_sqltuningadvisor method of sql_optimize.py. User input coming from the db_name parameter value in sql_optimize.py is passed to the sqltuningadvisor method in oracle.pyfor execution. To mitigate escape the variables accepted via user input when used in sql_optimize.py. Users may also use prepared statements when dealing with SQL as a mitigation for this issue. This issue is also indexed as GHSL-2022-107.

CVE
Open in Source
#sql#vulnerability#oracle

Summary

The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases.

Product

Archery

Tested Version

v1.9.0

Details

SQL injection exists in the project due to unsafe user input being concatenated with a SQL query, that is passed to methods executing a query in a database. All identified issues exist due to the controller files in folder sql taking user input and not sanitizing it, which later is passed to execution. Since the controller methods are connected to and allows querying all the databases that are connected to Archery, then all databases making queries with concatenated input will be affected. In this way, one vulnerable endpoint allows for exploiting several databases. To exploit most of these SQL injections, knowledge of the exploited instance name that is defined in Archery, is needed.

Issue 7: SQL injection in sql_optimize.py optimize_sqltuningadvisor method (GHSL-2022-107)

User input coming from the db_name in parameter value in the sql_optimize.py optimize_sqltuningadvisor is passed to the oracle.py sqltuningadvisor on line 1347 method for execution.

Remediation

Escape the variables accepting user input in sql_optimize.py optimize_sqltuningadvisor method, that is db_name parameter value by using f.ex. MySQLdb.escape().

Impact

All of the issues may lead to Information Disclosure.

General remediation advice

To fix each of the issues, the best practice would be to escape the user input (as presented in Remediation section of each of the issues) or use prepared statements when executing SQL queries. Using placeholders in cursor.execute() will automatically escape the passed values. See Django documentation around executing custom SQL directly and Connections and cursors.

Generally, it is best to use prepared statements rather, but for Archery’s codebase it would be much easier to fix the issues by escaping user input, which is sufficient protection. Please consider also escaping all other variables which accept input from the user, particularly the ones from GET or POST requests.

For more information on preventing SQL injection see SQL Injection Prevention Cheat Sheet - Primary Defenses

Credit

These issues were discovered and reported by GHSL team member @sylwia-budzynska (Sylwia Budzynska).

Disclosure Policy

This report is subject to our coordinated disclosure policy.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE