CVE-2022-38539
Description
Archery v1.7.5 to v1.8.5 contains a SQL injection vulnerability in the /archive/apply endpoint via the where parameter, allowing authenticated attackers to execute arbitrary SQL commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Archery v1.7.5 to v1.8.5 contains a SQL injection vulnerability in the /archive/apply endpoint via the where parameter, allowing authenticated attackers to execute arbitrary SQL commands.
Vulnerability
Archery versions 1.7.5 through 1.8.5 are affected by a SQL injection vulnerability in the /archive/apply endpoint. The where parameter is not properly sanitized before being used in SQL queries, as seen in sql/urls.py at line 155 [1]. An attacker must have access to the archive apply functionality, which typically requires authentication with at least DBA role privileges.
Exploitation
An authenticated attacker with DBA role privileges can craft a malicious where parameter containing SQL injection payloads. The parameter is directly concatenated into SQL queries without parameterization or escaping, allowing the attacker to inject arbitrary SQL commands. No user interaction beyond the attacker's own actions is required.
Impact
Successful exploitation enables the attacker to execute arbitrary SQL commands on the backend database. This can lead to unauthorized reading, modification, or deletion of data managed by Archery, potentially compromising the entire database and associated systems.
Mitigation
As of the publication date (2022-09-13), no patched version has been released by the vendor. Users should upgrade to a version beyond 1.8.5 if available, or apply input validation and use parameterized queries for the where parameter. No official workaround is documented. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Archery/Archerydescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input filtering on the `where` parameter in the archiver plugin allows injection of system commands."
Attack vector
An attacker who is a DBA user can create a malicious workflow and execute it [ref_id=1]. The archiver plugin does not filter the `where` parameter, which is passed unsanitized into a system command invocation [ref_id=1]. By crafting a malicious `where` value, the attacker achieves remote command execution on the Archery server. The issue is triggered via the `/archive/apply` endpoint.
Affected code
The vulnerability is in the archiver plugin, specifically in `sql/archiver.py` (line 283) and `sql/plugins/pt_archiver.py` (line 41) [ref_id=1]. The `where` parameter is not properly filtered, allowing injection into system commands executed by the archiver workflow [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies that the root cause is improper use of `shlex.quote`, which can be bypassed with an extra quote character, leading to command injection. The remediation would require properly sanitizing or validating the `where` parameter before passing it to system commands, or avoiding shell command construction with user-controlled input altogether.
Preconditions
- authAttacker must have a DBA role in Archery
- inputAttacker must be able to create and execute a workflow
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- announcements.bybit.com/en-US/article/bybit-improves-the-security-of-the-open-source-community-blt626818c0ee8c48a6/mitrex_refsource_MISC
- github.com/hhyo/Archery/blob/v1.8.5/sql/urls.pymitrex_refsource_MISC
- github.com/hhyo/Archery/issues/1842mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.