CVE-2023-30552

Name of the Vulnerable Software and Affected Versions Archery (affected versions not specified)

Description The Archery project contains multiple SQL injection vulnerabilities that may allow an attacker to query the connected databases. The issue arises from the sql/instance.py endpoint's describe method, where user input from the tb name parameter value, the db name parameter value, or the schema name value is passed to the describe table methods in various SQL engine implementations. These methods concatenate user input unsafely into a SQL query and pass it to the query method of each database engine for execution. The affected methods include describe table in sql/engines/clickhouse.py, sql/engines/mssql.py, sql/engines/mysql.py, sql/engines/oracle.py, sql/engines/pgsql.py, and sql/engines/phoenix.py. This issue may be mitigated by escaping user input or using prepared statements when executing SQL queries.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.