GoogleOSV:GHSA-GMPQ-XRXJ-XH8MArches vulnerable to execution of arbitrary SQL
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
50.2%
Impact
With a carefully crafted web request, it’s possible to execute certain unwanted sql statements against the database.
Anyone running the impacted versions (<=6.1.1, 6.2.0, >=7.0.0, <=7.1.1) should upgrade as soon as possible.
Patches
The problem has been patched in the following versions: 6.1.2, 6.2.1, and 7.2.0
Users are strongly urged to upgrade to the most recent relevant patch.
Workarounds
There are no workarounds.
General References
https://www.w3schools.com/sql/sql_injection.asp
https://en.wikipedia.org/wiki/SQL_injection
For more information
Post any questions to the Arches project forum.
References
github.com/archesproject/arches
github.com/archesproject/arches/commit/7ed53e23a616edf3301d95814d9d64de5e3072a9
github.com/archesproject/arches/security/advisories/GHSA-gmpq-xrxj-xh8m
nvd.nist.gov/vuln/detail/CVE-2022-41892
pypi.org/project/arches/6.1.2
pypi.org/project/arches/7.2.0
securitylab.github.com/advisories/GHSL-2022-070_GHSL-2022-072_Arches
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
50.2%