CVE-2023-47128

Name of the Vulnerable Software and Affected Versions Piccolo versions prior to 1.1.1

Description The handling of named transaction savepoints in all database implementations is vulnerable to SQL Injection via f-strings. This could allow a malicious user to have direct access to the database and modify data to the level of permissions associated with the database user. Possible actions based on database permissions include reading all data stored in the database, inserting arbitrary data, and gaining a shell on the underlying server.

Recommendations For versions prior to 1.1.1, update to version 1.1.1 to fix the issue. As a temporary workaround, consider restricting access to the savepoint method to minimize the risk of exploitation. Avoid passing user-provided input directly to connection.execute without proper escaping. Ensure all strings passed to connection.execute are properly escaped, regardless of how end-user facing they may be.