CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
50.2%
With a carefully crafted web request, it’s possible to execute certain unwanted sql statements against the database.
Anyone running the impacted versions (<=6.1.1, 6.2.0, >=7.0.0, <=7.1.1) should upgrade as soon as possible.
The problem has been patched in the following versions: 6.1.2, 6.2.1, and 7.2.0
Users are strongly urged to upgrade to the most recent relevant patch.
There are no workarounds.
https://www.w3schools.com/sql/sql_injection.asp
https://en.wikipedia.org/wiki/SQL_injection
Post any questions to the Arches project forum.
github.com/archesproject/arches
github.com/archesproject/arches/commit/7ed53e23a616edf3301d95814d9d64de5e3072a9
github.com/archesproject/arches/security/advisories/GHSA-gmpq-xrxj-xh8m
nvd.nist.gov/vuln/detail/CVE-2022-41892
pypi.org/project/arches/6.1.2
pypi.org/project/arches/7.2.0
securitylab.github.com/advisories/GHSL-2022-070_GHSL-2022-072_Arches