漏洞标题
在 Archery - GHSL-2022-103 的 sql_api/api_workflow.py 端点中的 SQL 注入
漏洞描述信息
Archer中的sql_api/api_workflow.py端点存在SQL注入漏洞 - GHSL-2022-103
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
漏洞类别
N/A
漏洞标题
SQL injection in sql_api/api_workflow.py endpoint in Archery - GHSL-2022-103
漏洞描述信息
Archery is an open source SQL audit platform. The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases. Affected versions are subject to SQL injection in the `sql_api/api_workflow.py` endpoint `ExecuteCheck` which passes unfiltered input to the `explain_check` method in `sql/engines/oracle.py`. User input coming from the `db_name` parameter value in the `api_workflow.py` `ExecuteCheck` endpoint is passed through the `oracle.py` `execute_check` method and to the `explain_check` method for execution. Each of these issues may be mitigated by escaping user input or by using prepared statements when executing SQL queries. This issue is also indexed as `GHSL-2022-103`.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
漏洞类别
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
漏洞标题
Archery SQL注入漏洞
漏洞描述信息
Archery是一套开源的漏洞评估和管理工具。 Archery 存在SQL注入漏洞,该漏洞源于包含多个 SQL 注入漏洞,可能允许攻击者查询连接的数据库。
CVSS信息
N/A
漏洞类别
SQL注入