CVE-2022-38540
Description
Archery v1.4.0 to v1.8.5 is vulnerable to SQL injection via the ThreadIDs parameter in the create_kill_session interface, allowing authenticated DBA users to execute arbitrary SQL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Archery v1.4.0 to v1.8.5 is vulnerable to SQL injection via the ThreadIDs parameter in the create_kill_session interface, allowing authenticated DBA users to execute arbitrary SQL.
Vulnerability
Archery versions v1.4.0 through v1.8.5 contain a SQL injection vulnerability in the create_kill_session interface. The ThreadIDs parameter is not properly sanitized or cast to an integer before being used in SQL queries within the sql/db_diagnostic.py file [1][2]. This allows an attacker to inject arbitrary SQL through the ThreadIDs parameter.
Exploitation
Exploitation requires the attacker to be an authenticated user with the DBA role. By crafting a malicious ThreadIDs parameter in a request to the create_kill_session endpoint, the attacker can bypass intended query restrictions and inject SQL commands into the database query [2]. The injection occurs because the parameter is directly concatenated into SQL statements without type conversion or escaping.
Impact
Successful exploitation allows an attacker with DBA role privileges to execute arbitrary SQL statements against the back-end database. This can lead to data exfiltration, modification, or deletion, and could allow escalation of privileges or bypassing of the SQL review process [2].
Mitigation
As of the publication date (2022-09-13), no patched version had been released. The vulnerability is present in all versions from v1.4.0 to v1.8.5. Users should upgrade to a fixed version if one becomes available. If no patch is yet available, administrators should restrict access to the create_kill_session interface to trusted users only and consider additional network-level protections [2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Archery/Archerydescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input type conversion on the ThreadIDs parameter allows SQL injection in the create_kill_session interface."
Attack vector
An attacker who is already authenticated as a DBA-role user can supply a malicious `ThreadIDs` parameter to the `create_kill_session` interface [ref_id=1]. Because the parameter is not sanitized or cast to an integer, it is passed directly into a SQL statement, allowing the attacker to inject arbitrary SQL commands [ref_id=1]. This bypasses the intended query restrictions that normally limit DBA users [ref_id=1].
Affected code
The vulnerability exists in `sql/db_diagnostic.py` at line 57, in the `create_kill_session` interface [ref_id=1]. The `ThreadIDs` parameter is not converted to an integer type before being used in SQL execution [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the remediation is to convert the `ThreadIDs` parameter to an integer type before using it in SQL execution [ref_id=1]. Proper input validation and parameterized queries would prevent the injection. No official fix commit is shown in the provided bundle.
Preconditions
- authAttacker must be authenticated as a user with the DBA role
- networkAttacker must have network access to the Archery application
- inputThe ThreadIDs parameter is not sanitized or type-checked before SQL use
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.