CVE-2022-24827

Name of the Vulnerable Software and Affected Versions Elide versions prior to 6.1.4

Description The issue arises when using Elide Aggregation Data Store for Analytic Queries, Parameterized Columns, and a parameterized column of type TEXT. This combination allows a hacker to craft a query that bypasses server-side authorization filters through SQL injection. A recent patch in Elide 6.1.2 introduced the vulnerability by allowing the '-' character in parameterized TEXT columns, which can be interpreted as SQL comments ('--') and remove the WHERE clause from the generated query. The vulnerability only affects parameterized columns of type TEXT and analytic queries, not CRUD operations.

Recommendations For versions prior to 6.1.4, update to Elide 6.1.4 to resolve the issue. As a temporary workaround, consider leveraging a different type of parameterized column, such as TIME or MONEY, or avoid using parameterized columns altogether.