CVE-2023-30556

Name of the Vulnerable Software and Affected Versions Archery (affected versions not specified)

Description The issue concerns SQL injection vulnerabilities in the Archery project, which may allow an attacker to query connected databases. The optimize sqltuningadvisor method of sql optimize.py is affected. User input from the db name parameter in sql optimize.py is passed to the sqltuningadvisor method in oracle.py for execution.

Recommendations To mitigate this issue, escape variables accepted via user input when used in sql optimize.py. Use prepared statements when dealing with SQL as a mitigation for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.