CVE-2022-24827
SQL Injection in elide-datastore-aggregation
描述
### Impact When leveraging the following together: - Elide Aggregation Data Store for Analytic Queries - Parameterized Columns (A column that requires a client provided parameter) - A parameterized column of type TEXT There is the potential for a hacker to provide a carefully crafted query that would bypass server side authorization filters through SQL injection. A recent patch to Elide 6.1.2 allowed the '-' character to be included in parameterized TEXT columns. This character can be interpreted as SQL comments ('--') and allow the attacker to remove the WHERE clause from the generated query and bypass authorization filters. ### Patches A [fix](https://github.com/yahoo/elide/pull/2581) is provided in [Elide 6.1.4](https://github.com/yahoo/elide/releases/tag/6.1.4). ### Workarounds The vulnerability only exists for parameterized columns of type TEXT and only for analytic queries (CRUD is not impacted). Workarounds include leveraging a different type of parameterized column (TIME, MONEY, etc) or not leveraging parameterized columns. ### For more information If you have any questions or comments about this advisory: * Open an issue in [elide](https://github.com/yahoo/elide) * Contact us in [Discord](https://discord.com/invite/3vh8ac57cc)
如何修補 CVE-2022-24827
要修補 CVE-2022-24827,請將受影響套件升級到下列已修補版本。
- —升級至 6.1.4 或更新版本
CVE-2022-24827 正在被利用嗎?
低 — EPSS 為 0.4%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 6.1.3, < 6.1.4