SQL injection in sql/instance.py endpoint in Archery - GHSL-2022-101

Vulnerability

The Archery project (an open source SQL audit platform) contains multiple SQL injection vulnerabilities in the sql/instance.py endpoint's describe method. User input from the tb_name, db_name, or schema_name parameters is unsafely concatenated into SQL queries in describe_table methods across several database engine implementations: sql/engines/clickhouse.py, sql/engines/mssql.py, sql/engines/mysql.py, sql/engines/oracle.py, sql/engines/pgsql.py, and sql/engines/phoenix.py. Affected versions include v1.9.0 and earlier [1].

Exploitation

An attacker needs knowledge of the exploited database instance name defined in Archery, plus network access to the Archery web interface. By supplying crafted values in the tb_name, db_name, or schema_name parameters of the describe endpoint, the attacker can inject SQL commands that are concatenated into queries executed by the query method of each affected database engine [1]. No authentication is explicitly stated as required for this endpoint, meaning unauthenticated attackers may exploit it if the endpoint is exposed.

Impact

Successful exploitation allows the attacker to query any of the connected databases that Archery can access. The injection leads to information disclosure of arbitrary data stored in those databases. The scope of compromise depends on the database privileges configured in Archery, but can include all databases registered to the platform [1].

Mitigation

The issue is addressed in Archery v1.9.1, released to fix this vulnerability. Users should upgrade to at least v1.9.1. If upgrading is not immediately possible, the recommended workaround is to escape user input (such as by using parameterized queries) in the affected describe_table methods, or to apply input validation on the tb_name, db_name, and schema_name parameters. The vulnerability is also indexed as GHSL-2022-101 [1].