CVE-2023-47128

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-47128

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-47128.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-47128

Aliases

Published

2023-11-10T18:15:09Z

Modified

2024-10-12T11:09:21.596Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Piccolo is an object-relational mapping and query builder which supports asyncio. Prior to version 1.1.1, the handling of named transaction savepoints in all database implementations is vulnerable to SQL Injection via f-strings. While the likelihood of an end developer exposing a savepoints name parameter to a user is highly unlikely, it would not be unheard of. If a malicious user was able to abuse this functionality they would have essentially direct access to the database and the ability to modify data to the level of permissions associated with the database user. A non exhaustive list of actions possible based on database permissions is: Read all data stored in the database, including usernames and password hashes; insert arbitrary data into the database, including modifying existing records; and gain a shell on the underlying server. Version 1.1.1 fixes this issue.

References

Affected packages

Git / github.com/piccolo-orm/piccolo

Affected ranges

Type: GIT
Repo: https://github.com/piccolo-orm/piccolo
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

82679eb8cd1449cf31d87c9914a072e70168b6eb

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.10.0

0.10.1

0.10.2

0.10.3

0.10.4

0.10.5

0.10.6

0.10.7

0.10.8

0.100.0

0.101.0

0.102.0

0.103.0

0.104.0

0.105.0

0.106.0

0.107.0

0.108.0

0.109.0

0.11.0

0.11.1

0.11.2

0.11.3

0.11.4

0.11.5

0.11.6

0.11.7

0.11.8

0.110.0

0.111.0

0.111.1

0.112.0

0.112.1

0.113.0

0.114.0

0.115.0

0.116.0

0.117.0

0.118.0

0.119.0

0.12.0

0.12.1

0.12.2

0.12.3

0.12.4

0.12.5

0.12.6

0.120.0

0.121.0

0.13.0

0.13.1

0.13.2

0.13.3

0.13.4

0.13.5

0.14.0

0.14.1

0.14.10

0.14.11

0.14.12

0.14.13

0.14.2

0.14.3

0.14.4

0.14.5

0.14.6

0.14.7

0.14.8

0.14.9

0.15.0

0.15.1

0.16.0

0.16.1

0.16.2

0.16.3

0.16.4

0.16.5

0.17.0

0.17.1

0.17.2

0.17.3

0.17.4

0.17.5

0.18.0

0.18.1

0.18.2

0.18.3

0.18.4

0.19.0

0.19.1

0.2.0

0.20.0

0.21.0

0.21.1

0.21.2

0.22.0

0.23.0

0.24.0

0.24.1

0.25.0

0.26.0

0.27.0

0.28.0

0.29.0

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.30.0

0.31.0

0.32.0

0.33.0

0.33.1

0.34.0

0.35.0

0.36.0

0.37.0

0.38.0

0.38.1

0.38.2

0.39.0

0.4.0

0.4.1

0.40.0

0.40.1

0.41.0

0.41.1

0.42.0

0.43.0

0.44.0

0.44.1

0.45.0

0.45.1

0.46.0

0.47.0

0.48.0

0.49.0

0.5.0

0.5.1

0.5.2

0.50.0

0.51.0

0.51.1

0.52.0

0.53.0

0.54.0

0.55.0

0.56.0

0.57.0

0.58.0

0.59.0

0.6.0

0.6.1

0.60.0

0.60.1

0.60.2

0.61.0

0.61.1

0.61.2

0.62.0

0.62.1

0.62.2

0.62.3

0.63.0

0.63.1

0.64.0

0.65.0

0.65.1

0.66.0

0.66.1

0.67.0

0.68.0

0.69.0

0.69.1

0.69.2

0.69.3

0.69.4

0.69.5

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.7.5

0.7.6

0.7.7

0.70.0

0.70.1

0.71.0

0.71.1

0.72.0

0.73.0

0.74.0

0.74.1

0.74.2

0.74.3

0.74.4

0.75.0

0.76.0

0.76.1

0.77.0

0.78.0

0.79.0

0.8.0

0.8.1

0.8.2

0.8.3

0.80.0

0.80.1

0.80.2

0.81.0

0.82.0

0.83.0

0.84.0

0.85.0

0.85.1

0.86.0

0.87.0

0.88.0

0.89.0

0.9.2

0.9.3

0.90.0

0.91.0

0.92.0

0.93.0

0.94.0

0.95.0

0.96.0

0.97.0

0.98.0

0.99.0

1.*

1.0.0

1.1.0