CVE-2023-30554

Name of the Vulnerable Software and Affected Versions Archery (affected versions not specified)

Description The Archery project contains multiple SQL injection issues that may allow an attacker to query connected databases. The sql api/api workflow.py endpoint ExecuteCheck passes unfiltered input to the explain check method in sql/engines/oracle.py. User input from the db name parameter in the api workflow.py ExecuteCheck endpoint is executed through the oracle.py execute check method and the explain check method. These issues can be mitigated by escaping user input or using prepared statements when executing SQL queries.

Recommendations As a temporary workaround, consider escaping user input or using prepared statements when executing SQL queries to mitigate the risk of exploitation. Restrict access to the sql api/api workflow.py endpoint ExecuteCheck to minimize the risk of exploitation. Avoid using the db name parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.