Description
blazer is vulnerable to sql injection attacks. The library does not properly sanitize user input which allows an attacker to inject malicious sql queries and modify system data.
Affected Software
Related
{"id": "VERACODE:35204", "vendorId": null, "type": "veracode", "bulletinFamily": "software", "title": "SQL Injection", "description": "blazer is vulnerable to sql injection attacks. The library does not properly sanitize user input which allows an attacker to inject malicious sql queries and modify system data.\n", "published": "2022-04-22T05:18:52", "modified": "2022-04-28T19:06:57", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.3}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-35204/summary", "reporter": "Veracode Vulnerability Database", "references": ["https://github.com/ankane/blazer/commit/f49fbfed7b9e406a69eb78c463c3aa5d35006d8d", "https://github.com/ankane/blazer/issues/392", "https://github.com/advisories/GHSA-qf9q-q4hh-qph3"], "cvelist": ["CVE-2022-29498"], "immutableFields": [], "lastseen": "2022-05-12T00:13:11", "viewCount": 3, "enchantments": {"score": {"value": 4.8, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2022-29498"]}, {"type": "github", "idList": ["GHSA-QF9Q-Q4HH-QPH3"]}, {"type": "osv", "idList": ["OSV:GHSA-QF9Q-Q4HH-QPH3"]}]}, "vulnersScore": 4.8}, "_state": {"score": 1660016489, "dependencies": 1660016401}, "_internal": {"score_hash": "684ef1de42b8082ddc2aaf18682f5010"}, "affectedSoftware": [{"version": "2.5.0", "operator": "le", "name": "blazer"}, {"version": "0.0.1", "operator": "ge", "name": "blazer"}, {"version": "2.5.0", "operator": "le", "name": "blazer"}, {"version": "0.0.1", "operator": "ge", "name": "blazer"}]}
{"cve": [{"lastseen": "2022-04-28T19:10:27", "description": "Blazer before 2.6.0 allows SQL Injection. In certain circumstances, an attacker could get a user to run a query they would not have normally run.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-21T05:15:00", "type": "cve", "title": "CVE-2022-29498", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29498"], "modified": "2022-04-28T16:24:00", "cpe": [], "id": "CVE-2022-29498", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29498", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "github": [{"lastseen": "2022-04-29T22:04:29", "description": "Blazer before 2.6.0 allows SQL Injection. In certain circumstances, an attacker could get a user to run a query they would not have normally run.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-22T00:00:36", "type": "github", "title": "SQL injection in blazer", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29498"], "modified": "2022-04-29T21:07:18", "id": "GHSA-QF9Q-Q4HH-QPH3", "href": "https://github.com/advisories/GHSA-qf9q-q4hh-qph3", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "osv": [{"lastseen": "2022-07-30T04:53:07", "description": "Blazer before 2.6.0 allows SQL Injection. In certain circumstances, an attacker could get a user to run a query they would not have normally run.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-22T00:00:36", "type": "osv", "title": "SQL injection in blazer", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-29498"], "modified": "2022-07-30T04:53:04", "id": "OSV:GHSA-QF9Q-Q4HH-QPH3", "href": "https://osv.dev/vulnerability/GHSA-qf9q-q4hh-qph3", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}
SQL Injection
