GHSA-8xpj-9j9g-fc9r

Suggest an improvement
Source
https://github.com/advisories/GHSA-8xpj-9j9g-fc9r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-8xpj-9j9g-fc9r/GHSA-8xpj-9j9g-fc9r.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-8xpj-9j9g-fc9r
Aliases
Published
2022-04-08T22:43:17Z
Modified
2023-11-01T04:58:10.306942Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
SQL Injection in elide-datastore-aggregation
Details

Impact

When leveraging the following together:

  • Elide Aggregation Data Store for Analytic Queries
  • Parameterized Columns (A column that requires a client provided parameter)
  • A parameterized column of type TEXT

There is the potential for a hacker to provide a carefully crafted query that would bypass server side authorization filters through SQL injection. A recent patch to Elide 6.1.2 allowed the '-' character to be included in parameterized TEXT columns. This character can be interpreted as SQL comments ('--') and allow the attacker to remove the WHERE clause from the generated query and bypass authorization filters.

Patches

A fix is provided in Elide 6.1.4.

Workarounds

The vulnerability only exists for parameterized columns of type TEXT and only for analytic queries (CRUD is not impacted). Workarounds include leveraging a different type of parameterized column (TIME, MONEY, etc) or not leveraging parameterized columns.

For more information

If you have any questions or comments about this advisory: * Open an issue in elide * Contact us in Discord

Database specific
{
    "nvd_published_at": "2022-04-11T21:15:00Z",
    "github_reviewed_at": "2022-04-08T22:43:17Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-89"
    ]
}
References

Affected packages

Maven / com.yahoo.elide:elide-datastore-aggregation

Package

Name
com.yahoo.elide:elide-datastore-aggregation
View open source insights on deps.dev
Purl
pkg:maven/com.yahoo.elide/elide-datastore-aggregation

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.3
Fixed
6.1.4

Affected versions

6.*

6.1.3