Fumon trello-octometric srv.go main sql injection
Description
A vulnerability classified as critical has been found in Fumon trello-octometric. This affects the function main of the file metrics-ui/server/srv.go. The manipulation of the argument num leads to sql injection. The patch is named a1f1754933fbf21e2221fbc671c81a47de6a04ef. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217611.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: n/a
Patches
Vulnerability mechanics
Root cause
"The application improperly sanitizes user-controlled input used in SQL queries, leading to SQL injection."
Attack vector
An attacker can manipulate the 'num' argument in the application to inject malicious SQL code. This occurs because the application uses `fmt.Sprintf` to construct SQL queries with user-provided input, rather than parameterized queries. The vulnerability is present in the `main` function within the `metrics-ui/server/srv.go` file [ref_id=1].
Affected code
The vulnerability resides in the `main` function located in the `metrics-ui/server/srv.go` file. Specifically, the lines where `fmt.Sprintf` is used to build SQL queries that include the `vars["num"]` variable are affected. The patch modifies these lines to use parameterized queries instead [ref_id=1].
What the fix does
The patch replaces the use of `fmt.Sprintf` with parameterized queries for constructing SQL statements. Instead of directly embedding the `vars["num"]` variable into the query string, it is now passed as a parameter using `$1`. This ensures that the input is treated as data rather than executable SQL code, thereby preventing SQL injection [ref_id=1].
Preconditions
- inputThe 'num' argument must be controllable by the attacker.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/Fumon/trello-octometric/commit/a1f1754933fbf21e2221fbc671c81a47de6a04efmitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.