CVE-2022-41892
Arches vulnerable to execution of arbitrary SQL
描述
### Impact With a carefully crafted web request, it's possible to execute certain unwanted sql statements against the database. Anyone running the impacted versions (<=6.1.1, 6.2.0, >=7.0.0, <=7.1.1) should upgrade as soon as possible. ### Patches The problem has been patched in the following versions: [6.1.2](https://pypi.org/project/arches/6.1.2/), [6.2.1](https://pypi.org/project/arches/6.2.1/), and [7.2.0](https://pypi.org/project/arches/7.2.0/) Users are strongly urged to upgrade to the most recent relevant patch. ### Workarounds There are no workarounds. ### General References https://www.w3schools.com/sql/sql_injection.asp https://en.wikipedia.org/wiki/SQL_injection ### For more information Post any questions to the [Arches project forum](https://community.archesproject.org/).
如何修補 CVE-2022-41892
要修補 CVE-2022-41892,請將受影響套件升級到下列已修補版本。
- —升級至 6.1.2 或更新版本
- —升級至 6.1.2 或更新版本
CVE-2022-41892 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(2)
- from 0, < 6.1.2
- from 0, < 6.1.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L |