CVE-2022-38542
Description
SQL injection in Archery v1.4.0 to v1.8.5 via ThreadIDs parameter in kill_session interface allows authenticated DBA users to execute arbitrary SQL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Archery v1.4.0 to v1.8.5 via ThreadIDs parameter in kill_session interface allows authenticated DBA users to execute arbitrary SQL.
Vulnerability
Archery versions 1.4.0 through 1.8.5 contain a SQL injection vulnerability in the kill_session interface. The ThreadIDs parameter is not properly sanitized or cast to an integer before being used in SQL queries, allowing an attacker to inject arbitrary SQL. The vulnerable code is located in sql/db_diagnostic.py at lines 57 and 88 [1][2].
Exploitation
An attacker must be authenticated with a DBA role in Archery. The ThreadIDs parameter is passed directly into SQL statements without proper escaping or type conversion. In the kill_session interface (line 88), the result of the first SQL query is used as input for a second query, enabling second-order SQL injection [2]. This allows an attacker to execute arbitrary SQL statements on the underlying MySQL instance.
Impact
Successful exploitation allows an attacker with DBA role to execute arbitrary SQL statements, bypassing the SQL review process. This can lead to unauthorized data access, modification, and privilege escalation. The attacker can steal other users' Django session keys and gain DBA permissions [2].
Mitigation
The project has released version 1.9.0 which fixes the vulnerability. Users should upgrade to v1.9.0 or later. No official workaround is documented for versions prior to 1.9.0 [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Archery/Archerydescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization — the ThreadIDs parameter is not converted to an integer type before being passed into SQL statements, enabling SQL injection."
Attack vector
An attacker must be a logged-in user with the DBA role to reach the `kill_session` interface [ref_id=1]. The `ThreadIDs` parameter is passed unsanitized into a SQL statement without integer type conversion, allowing an attacker to inject arbitrary SQL [ref_id=1]. Because the result of the first SQL query is then used as a subsequent SQL statement executed against the MySQL instance, this creates a second-order SQL injection that can execute arbitrary SQL statements, bypassing the SQL review process [ref_id=1].
Affected code
The vulnerability exists in `sql/db_diagnostic.py` at line 88, where the `ThreadIDs` parameter of the `kill_session` interface is not converted to an integer type before being used in SQL statements [ref_id=1]. Additionally, the same file at line 57 contains a similar issue in the `create_kill_session` interface [ref_id=1]. A related SQL injection also exists in `sql/slowlog.py` at line 167 via the `checksum` parameter [ref_id=1].
What the fix does
The advisory states that the project has released an update; users should upgrade to Archery v1.9.0 and above [ref_id=1]. No patch diff is provided in the bundle, but the fix would involve converting the `ThreadIDs` parameter to an integer type before using it in SQL statements, and properly escaping or parameterizing the `checksum` parameter in the slowlog report interface [ref_id=1].
Preconditions
- authAttacker must be a logged-in user with the DBA role to access the kill_session interface
- networkAttacker must be able to reach the Archery web application over the network
- inputThe ThreadIDs parameter is accepted without integer type validation
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- announcements.bybit.com/en-US/article/bybit-improves-the-security-of-the-open-source-community-blt626818c0ee8c48a6/mitrex_refsource_MISC
- github.com/hhyo/Archery/blob/v1.8.5/sql/urls.pymitrex_refsource_MISC
- github.com/hhyo/Archery/issues/1841mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.