CVE-2022-24827

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-24827
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24827.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-24827
Aliases
Published
2022-04-11T21:15:08Z
Modified
2024-10-12T09:19:04.652826Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Elide is a Java library that lets you stand up a GraphQL/JSON-API web service with minimal effort. When leveraging the following together: Elide Aggregation Data Store for Analytic Queries, Parameterized Columns (A column that requires a client provided parameter), and a parameterized column of type TEXT. There is the potential for a hacker to provide a carefully crafted query that would bypass server side authorization filters through SQL injection. A recent patch to Elide 6.1.2 allowed the '-' character to be included in parameterized TEXT columns. This character can be interpreted as SQL comments ('--') and allow the attacker to remove the WHERE clause from the generated query and bypass authorization filters. A fix is provided in Elide 6.1.4. The vulnerability only exists for parameterized columns of type TEXT and only for analytic queries (CRUD is not impacted). Workarounds include leveraging a different type of parameterized column (TIME, MONEY, etc) or not leveraging parameterized columns.

References

Affected packages

Git / github.com/yahoo/elide

Affected ranges

Type
GIT
Repo
https://github.com/yahoo/elide
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

1.*

1.0.0.10
1.0.0.11
1.0.0.12
1.0.0.13
1.0.0.14
1.0.0.15
1.0.0.16
1.0.0.17
1.0.0.18
1.0.0.19
1.0.0.20
1.0.0.21
1.0.0.22
1.0.0.23
1.0.0.24
1.0.0.25
1.0.0.4
1.0.0.5
1.0.0.6
1.0.0.7
1.0.0.8
1.0.0.9

2.*

2.0.0
2.0.1
2.0.10
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.1.0
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1
2.3.10
2.3.11
2.3.12
2.3.13
2.3.14
2.3.15
2.3.16
2.3.17
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.4.0
2.4.1
2.4.10
2.4.11
2.4.12
2.4.13
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.5.0
2.5.1
2.5.2

3.*

3.0.0
3.0.1
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.2.0

4.*

4.0-alpha-2
4.0-alpha-3
4.0-beta-1
4.0-beta-2
4.0-beta-3
4.0-beta-4
4.0-beta-5
4.0.0
4.0.1
4.0.2
4.1.0
4.2.0
4.2.1
4.2.10
4.2.11
4.2.12
4.2.13
4.2.14
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.2.9
4.3.0
4.3.1
4.3.2
4.3.3
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.5.0
4.5.1
4.5.10
4.5.11
4.5.12
4.5.13
4.5.14
4.5.15
4.5.16
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.5.9
4.6.0
4.6.1
4.6.2
4.6.3
4.6.4
4.6.5
4.6.6
4.6.7
4.6.8

5.*

5.0.0
5.0.0-pr30
5.0.0-pr31
5.0.0-pr32
5.0.0-pr33
5.0.0-pr34
5.0.1
5.0.10
5.0.11
5.0.12
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9

6.*

6.0.0
6.0.0-pr1
6.0.0-pr2
6.0.0-pr3
6.0.0-pr4
6.0.0-pr5
6.0.0-pr6
6.0.0-pr7
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.1.0
6.1.1
6.1.2
6.1.3

elide-parent-pom-1.*

elide-parent-pom-1.0.0.0
elide-parent-pom-1.0.0.1
elide-parent-pom-1.0.0.3