Headline
CVE-2022-41892: Execution of arbitrary SQL possible in Arches
Arches is a web platform for creating, managing, & visualizing geospatial data. Versions prior to 6.1.2, 6.2.1, and 7.1.2 are vulnerable to SQL Injection. With a carefully crafted web request, it’s possible to execute certain unwanted sql statements against the database. This issue is fixed in version 7.12, 6.2.1, and 6.1.2. Users are recommended to upgrade as soon as possible. There are no workarounds.
Impact
With a carefully crafted web request, it’s possible to execute certain unwanted sql statements against the database.
Anyone running the impacted versions (<=6.1.1, 6.2.0, >=7.0.0, <=7.1.1) should upgrade as soon as possible.
Patches
The problem has been patched in the following versions: 6.1.2, 6.2.1, and 7.2.0
Users are strongly urged to upgrade to the most recent relevant patch.
Workarounds
There are no workarounds.
General References
https://www.w3schools.com/sql/sql_injection.asp
https://en.wikipedia.org/wiki/SQL_injection
For more information
Post any questions to the Arches project forum.
Related news
### Impact With a carefully crafted web request, it's possible to execute certain unwanted sql statements against the database. Anyone running the impacted versions (<=6.1.1, 6.2.0, >=7.0.0, <=7.1.1) should upgrade as soon as possible. ### Workarounds There are no workarounds. ### For more information Post any questions to the [Arches project forum](https://community.archesproject.org/).