CVE-2023-30557

Name of the Vulnerable Software and Affected Versions Archery (affected versions not specified)

Description The Archery project contains multiple SQL injection vulnerabilities that may allow an attacker to query connected databases. User input from the db name and tb name parameter values in the table info endpoint is passed unsafely to SQL queries. The vulnerable methods include get table meta data, get table desc data, and get table index data in sql/engines/mssql.py and sql/engines/oracle.py, which concatenate user input and pass it to the query method for execution.

Recommendations As a temporary workaround, consider escaping user input or using prepared statements when executing SQL queries in the get table meta data, get table desc data, and get table index data methods. Restrict access to the table info endpoint to minimize the risk of exploitation. Avoid using the db name and tb name parameters in the table info endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.