CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
50.2%
With a carefully crafted web request, it’s possible to execute certain unwanted sql statements against the database.
Anyone running the impacted versions (<=6.1.1, 6.2.0, >=7.0.0, <=7.1.1) should upgrade as soon as possible.
The problem has been patched in the following versions: 6.1.2, 6.2.1, and 7.2.0
Users are strongly urged to upgrade to the most recent relevant patch.
There are no workarounds.
https://www.w3schools.com/sql/sql_injection.asp
https://en.wikipedia.org/wiki/SQL_injection
Post any questions to the Arches project forum.
Vendor | Product | Version | CPE |
---|---|---|---|
archesproject | arches | * | cpe:2.3:a:archesproject:arches:*:*:*:*:*:*:*:* |
archesproject | arches | 6.2.0 | cpe:2.3:a:archesproject:arches:6.2.0:*:*:*:*:*:*:* |
github.com/advisories/GHSA-gmpq-xrxj-xh8m
github.com/archesproject/arches/commit/7ed53e23a616edf3301d95814d9d64de5e3072a9
github.com/archesproject/arches/security/advisories/GHSA-gmpq-xrxj-xh8m
github.com/pypa/advisory-database/tree/main/vulns/arches/PYSEC-2022-42985.yaml
nvd.nist.gov/vuln/detail/CVE-2022-41892
pypi.org/project/arches/6.1.2
pypi.org/project/arches/7.2.0
securitylab.github.com/advisories/GHSL-2022-070_GHSL-2022-072_Arches