Headline
GHSA-gmpq-xrxj-xh8m: Arches vulnerable to execution of arbitrary SQL
Impact
With a carefully crafted web request, it’s possible to execute certain unwanted sql statements against the database.
Anyone running the impacted versions (<=6.1.1, 6.2.0, >=7.0.0, <=7.1.1) should upgrade as soon as possible.
Workarounds
There are no workarounds.
For more information
Post any questions to the Arches project forum.
Package
pip arches (pip)
Affected versions
<= 6.1.1
= 6.2.0
>= 7.0.0, <= 7.1.1
Patched versions
6.1.2
6.2.1
7.2.0
Description
Impact
With a carefully crafted web request, it’s possible to execute certain unwanted sql statements against the database.
Anyone running the impacted versions (<=6.1.1, 6.2.0, >=7.0.0, <=7.1.1) should upgrade as soon as possible.
Workarounds
There are no workarounds.
For more information
Post any questions to the Arches project forum.
References
- GHSA-gmpq-xrxj-xh8m
- https://pypi.org/project/arches/6.1.2/
- https://pypi.org/project/arches/7.2.0/
apeters published the maintainer security advisory
Nov 10, 2022
Severity
High
8.6
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Weaknesses
CWE-89
CVE ID
CVE-2022-41892
GHSA ID
GHSA-gmpq-xrxj-xh8m
Source code
archesproject/arches
Checking history
See something to contribute? Suggest improvements for this vulnerability.
Related news
Arches is a web platform for creating, managing, & visualizing geospatial data. Versions prior to 6.1.2, 6.2.1, and 7.1.2 are vulnerable to SQL Injection. With a carefully crafted web request, it's possible to execute certain unwanted sql statements against the database. This issue is fixed in version 7.12, 6.2.1, and 6.1.2. Users are recommended to upgrade as soon as possible. There are no workarounds.