Liv Matan

**Name of the Vulnerable Software and Affected Versions** Looker versions prior to 24.12.106 Looker versions 24.12.106 through 24.18.198 Looker versions prior to 25.0.75 Looker versions 25.0.75 through 25.6.63 Looker versions prior to 25.6.63 Looker versions 25.6.63 through 25.8.45 Looker versions prior to 25.8.45 Looker versions 25.8.45 through 25.10.33 Looker versions prior to 25.10.33 Looker versions 25.10.33 through 25.12.1 Looker versions prior to 25.12.1 Looker versions 25.12.1 through 25.14 Looker versions prior to 25.14 **Description** The Looker endpoint used for creating new projects from database connections allows specification of "looker" as a connection name, which is a reserved name for Looker’s internal MySQL database. The `schemas` parameter is susceptible to SQL injection, allowing manipulation of SELECT queries executed against the internal MySQL database. This allows users with developer permissions to extract data from Looker’s internal MySQL database. The API endpoint involved is the project generation endpoint. The vulnerable parameter is `schemas`. **Recommendations** Versions prior to 24.12.106 must be upgraded. Versions 24.12.106 through 24.18.198 must be upgraded. Versions prior to 25.0.75 must be upgraded. Versions 25.0.75 through 25.6.63 must be upgraded. Versions prior to 25.6.63 must be upgraded. Versions 25.6.63 through 25.8.45 must be upgraded. Versions prior to 25.8.45 must be upgraded. Versions 25.8.45 through 25.10.33 must be upgraded. Versions prior to 25.10.33 must be upgraded. Versions 25.10.33 through 25.12.1 must be upgraded. Versions prior to 25.12.1 must be upgraded. Versions 25.12.1 through 25.14 must be upgraded.

**Name of the Vulnerable Software and Affected Versions** Looker Studio versions prior to 21 July 2025 **Description** A SQL injection issue exists in Looker Studio. A user with report view access can inject malicious SQL code that is executed with the permissions of the report owner. This affects reports utilizing BigQuery as the data source. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Looker Studio versions prior to 07 July 2025 **Description** A SQL injection issue was identified in Looker Studio, potentially allowing unauthorized data exfiltration from BigQuery data sources. An attacker could create a malicious report with native functions enabled. When a victim accesses this report, the attacker could execute injected SQL queries using the victim’s permissions within BigQuery. The API endpoint used for this attack is not specified. The vulnerable parameter is not specified. The function `executeSQL()` is potentially involved. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Looker Studio (affected versions not specified) **Description** An improper privilege management issue was identified in Looker Studio, affecting all JDBC-based connectors. A Looker Studio user with report view access could create a copy of a report and execute arbitrary SQL queries on the data source database, due to the stored credentials associated with the report. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.