VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 13, 2022· Updated Aug 3, 2024

CVE-2022-38541

CVE-2022-38541

Description

Archery v1.8.3 to v1.8.5 is vulnerable to SQL injection and command injection via unvalidated start_time and stop_time parameters in the my2sql interface.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Archery v1.8.3 to v1.8.5 is vulnerable to SQL injection and command injection via unvalidated start_time and stop_time parameters in the my2sql interface.

Vulnerability

Archery versions v1.8.3 through v1.8.5 contain multiple SQL injection vulnerabilities in the my2sql interface. The flaws exist because the start_time and stop_time parameters are not properly sanitized before being passed to SQL queries. Additionally, the same parameters and others (start_file, end_file, where) in related plugins (my2sql.py, binlog2sql.py, archiver.py, pt_archiver.py) are not adequately filtered, leading to command injection vulnerabilities as reported in issue #1842 [1], [2].

Exploitation

An attacker must have network access to the Archery web interface and, for the worst-case command injection, be assigned the DBA role. The attacker can craft malicious input for the start_time or stop_time parameters (or other unsanitized parameters like where) in the my2sql or binlog2sql plugin forms. Due to improper use of shlex.quote, a single extra quote can bypass quoting and inject arbitrary system commands. Step-by-step: 1) Authenticate as a DBA user. 2) Create a malicious workflow. 3) Supply crafted parameter values. 4) Execute the workflow, triggering the vulnerable code path in the plugin [2].

Impact

Successful exploitation allows an authenticated DBA attacker to achieve remote command execution on the server hosting Archery. This results in full compromise of the CIA triad: access to the underlying database, potential exfiltration of sensitive data, and the ability to execute arbitrary commands, escalate privileges, or pivot to other systems. The SQL injection alone could enable unauthorized data retrieval or modification, but the command injection is the primary risk [2].

Mitigation

As of the available references, no patched version has been released for CVE-2022-38541. The fixed code should address the input filtering in the affected plugins (sql/plugins/my2sql.py, sql/plugins/binglog2sql.py, sql/archiver.py, sql/plugins/pt_archiver.py) and properly use shlex.quote or implement allow-lists for parameters. Users running Archery v1.8.3–v1.8.5 should restrict network access to the management interface, strictly control DBA role assignments, and monitor for official updates. This CVE is not listed on the CISA KEV [1], [2].

References
  1. Archery/sql/urls.py at v1.8.5 · hhyo/Archery
  2. Multiple Remote Code Executioin

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Archery/Archerydescription
  • hhyo/Archeryllm-fuzzy
    Range: >=1.8.3, <=1.8.5

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Improper use of shlex.quote allows quote bypassing with an extra quote, leading to injection of system commands via unfiltered parameters."

Attack vector

An attacker with DBA role privileges can craft malicious values for the `start_time` and `stop_time` parameters in the my2sql interface [ref_id=1]. The application's filtering method is insufficient — it uses `shlex.quote` improperly, which can be bypassed by including an extra quote character in the parameter value [ref_id=1]. This allows the attacker to inject arbitrary system commands that get executed on the server. The same injection vector applies to the binlog2sql plugin (via `start_file`, `end_file`, `start_time`, `stop_time`) and the archiver plugin (via the `where` parameter) [ref_id=1].

Affected code

The vulnerability exists in `sql/plugins/my2sql.py` at line 36, where the `start_time` and `stop_time` parameters are not properly filtered before being passed to system command execution [ref_id=1]. The same class of injection issues also affects `sql/plugins/binlog2sql.py` (line 43) with `start_file`, `end_file`, `start_time`, and `stop_time` parameters, as well as `sql/plugins/pt_archiver.py` (line 41) and `sql/archiver.py` (line 283) where the `where` parameter is unfiltered [ref_id=1].

What the fix does

The advisory does not include a published patch diff, but identifies the root cause as improper use of `shlex.quote` which can be bypassed with an extra quote character [ref_id=1]. The remediation would require strengthening input validation and sanitization for the `start_time`, `stop_time`, and other affected parameters before they are interpolated into system commands. The advisory notes that the filtering method in `sql/plugins/my2sql.py` (line 36) and the other affected files must be corrected to prevent command injection [ref_id=1].

Preconditions

  • authAttacker must have a DBA role in Archery to create and execute workflows
  • configThe my2sql (or binlog2sql, or archiver) plugin must be accessible and configured
  • inputAttacker must be able to supply values for start_time, stop_time, or other affected parameters

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.