CVE-2023-30555 - Archery SQL Audit Platform SQL Injection Vulnerabilities

Introduction: Archery is an open-source SQL audit platform that helps developers and professionals identify, analyze, and fix vulnerabilities in their SQL databases. It supports various database engines like MySQL, Oracle, MSSQL, and many more. However, the Archery project contains multiple SQL injection vulnerabilities that may allow an attacker to query the connected databases. This article will explore these vulnerabilities, elaborating on the specifics of the issues and ways to mitigate them.

Affected Versions: Archery versions containing the explain method in sql_optimize.py are vulnerable to SQL injection attacks. The user input from the db_name parameter value in the explain endpoint is passed to the following query methods of each database engine for execution:

1. query in sql/engines/mssql.py
2. query in sql/engines/oracle.py

Exploit Details: An attacker can exploit these vulnerabilities by sending a crafted input that includes SQL injection payloads through the db_name parameter value in the explain endpoint. As the method constructs and executes a SQL query including the user input, it grants the attacker the ability to execute arbitrary SQL commands against the connected databases.

Here is a code snippet showcasing the vulnerability

# In sql_optimize.py

def explain(request):
    db_name = request.POST.get('db_name')
    # ... (omitted for brevity)

    with connections[str(db_name)].cursor() as cursor:
        sql_query = f"EXPLAIN {sql}"
        cursor.execute(sql_query)
    # ... (omitted for brevity)

Mitigation: To mitigate these vulnerabilities, user input should be escaped or prepared statements should be used when executing SQL queries. For example, using Python's DB-API 2. placeholders may help in preventing SQL injection attacks:

# In sql_optimize.py (fixed version)

def explain(request):
    db_name = request.POST.get('db_name')
    # ... (omitted for brevity)

    with connections[str(db_name)].cursor() as cursor:
        sql_query = "EXPLAIN %s"
        cursor.execute(sql_query, (sql,))
    # ... (omitted for brevity)

Note that this example demonstrates a general approach to prevent SQL injection attacks, and the implementation might differ based on the actual database engine used in the project.

Original References

1. GitHub Security Lab - GHSL-2022-108
2. Archery - SQL Injection Vulnerability
3. CVE-2023-30555 - NIST National Vulnerability Database

Conclusion: CVE-2023-30555 represents a critical security vulnerability in the Archery SQL audit platform. Developers and professionals using Archery are advised to update their implementations and apply the appropriate mitigations. By escaping user input or using prepared statements when executing SQL queries, developers can safeguard their sensitive data from potential attackers.

Timeline

Published on: 04/19/2023 00:15:00 UTC
Last modified on: 05/01/2023 17:21:00 UTC