CVE-2022-24827
SQL Injection in elide-datastore-aggregation
Description
### Impact When leveraging the following together: - Elide Aggregation Data Store for Analytic Queries - Parameterized Columns (A column that requires a client provided parameter) - A parameterized column of type TEXT There is the potential for a hacker to provide a carefully crafted query that would bypass server side authorization filters through SQL injection. A recent patch to Elide 6.1.2 allowed the '-' character to be included in parameterized TEXT columns. This character can be interpreted as SQL comments ('--') and allow the attacker to remove the WHERE clause from the generated query and bypass authorization filters. ### Patches A [fix](https://github.com/yahoo/elide/pull/2581) is provided in [Elide 6.1.4](https://github.com/yahoo/elide/releases/tag/6.1.4). ### Workarounds The vulnerability only exists for parameterized columns of type TEXT and only for analytic queries (CRUD is not impacted). Workarounds include leveraging a different type of parameterized column (TIME, MONEY, etc) or not leveraging parameterized columns. ### For more information If you have any questions or comments about this advisory: * Open an issue in [elide](https://github.com/yahoo/elide) * Contact us in [Discord](https://discord.com/invite/3vh8ac57cc)
How to fix CVE-2022-24827
To remediate CVE-2022-24827, upgrade the affected package to a fixed version below.
- —upgrade to 6.1.4 or later
Is CVE-2022-24827 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 6.1.3, < 6.1.4