GHSA-gmpq-xrxj-xh8m

Suggest an improvement
Source
https://github.com/advisories/GHSA-gmpq-xrxj-xh8m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-gmpq-xrxj-xh8m/GHSA-gmpq-xrxj-xh8m.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-gmpq-xrxj-xh8m
Aliases
Related
Published
2022-11-11T00:05:15Z
Modified
2025-02-17T05:31:20.141756Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L CVSS Calculator
Summary
Arches vulnerable to execution of arbitrary SQL
Details

Impact

With a carefully crafted web request, it's possible to execute certain unwanted sql statements against the database.
Anyone running the impacted versions (<=6.1.1, 6.2.0, >=7.0.0, <=7.1.1) should upgrade as soon as possible.

Patches

The problem has been patched in the following versions: 6.1.2, 6.2.1, and 7.2.0 Users are strongly urged to upgrade to the most recent relevant patch.

Workarounds

There are no workarounds.

General References

https://www.w3schools.com/sql/sqlinjection.asp https://en.wikipedia.org/wiki/SQLinjection

For more information

Post any questions to the Arches project forum.

Database specific
{
    "nvd_published_at": "2022-11-11T04:15:00Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-11T00:05:15Z"
}
References

Affected packages

PyPI / arches

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.2

Affected versions

3.*

3.0rc6
3.0rc7
3.0rc8
3.0rc9
3.0rc10
3.0rc11
3.0rc12
3.0rc13
3.0rc14
3.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.1
3.1.1
3.1.2

4.*

4.0b0
4.0b1
4.0b2
4.0b3
4.0
4.0.1
4.1
4.1.1
4.2
4.3
4.3.1
4.3.2
4.3.3
4.4
4.4.1
4.4.2
4.4.3

5.*

5.0
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4

6.*

6.0.0
6.0.1
6.1.0
6.1.1

Database specific

{
    "last_known_affected_version_range": "<= 6.1.1"
}

PyPI / arches

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.2.1

Affected versions

6.*

6.2.0

PyPI / arches

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.2.0

Affected versions

7.*

7.0.0
7.1.0
7.1.1

Database specific

{
    "last_known_affected_version_range": "<= 7.1.1"
}