Lucene search

Veracode Vulnerability DatabaseVERACODE:44253

HistoryNov 13, 2023 - 10:35 a.m.

SQL Injection

2023-11-1310:35:12

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

piccolo

sql injection

input validation

database access

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

7.4 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

33.1%

JSON

Piccolo is vulnerable to SQL Injection. The vulnerability is caused by a lack of user input validation while executing SQL statements. The input passed to connection.execute is not properly escaped. An attacker can exploit this vulnerability to obtain direct access to the database and has the ability to modify data as the level of the database user

CPENameOperatorVersion
piccolole1.0a2
piccolole1.0a2

CPE	Name	Operator	Version
	piccolo	le	1.0a2
	piccolo	le	1.0a2

References

github.com/piccolo-orm/piccolo/commit/82679eb8cd1449cf31d87c9914a072e70168b6eb

github.com/piccolo-orm/piccolo/security/advisories/GHSA-xq59-7jf3-rjc6

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

7.4 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

33.1%

JSON

Related for VERACODE:44253