CVE-2023-30605

Name of the Vulnerable Software and Affected Versions Archery (affected versions not specified)

Description The Archery project contains multiple SQL injection vulnerabilities that may allow an attacker to query connected databases. User input from the variable name and variable value parameters in the "sql/instance.py" "param edit" endpoint is passed to methods in SQL engine implementations, which concatenate user input unsafely into a SQL query and execute it on the database. The affected methods include set variable and get variables in "sql/engines/goinception.py" and "sql/engines/mysql.py". These issues can be mitigated by escaping user input or using prepared statements when executing SQL queries.

Recommendations As a temporary workaround, consider escaping user input from the variable name and variable value parameters in the "param edit" endpoint until a patch is available. Restrict access to the vulnerable methods set variable and get variables in "sql/engines/goinception.py" and "sql/engines/mysql.py" to minimize the risk of exploitation. Avoid using the variable name and variable value parameters in the "param edit" endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.