SQL injection in sql_optimize.py optimize_sqltuningadvisor method in Archery - GHSL-2022-107

Vulnerability

CVE-2023-30556 is a SQL injection vulnerability in Archery, an open-source SQL audit platform, affecting versions including v1.9.0. The issue resides in the optimize_sqltuningadvisor method of sql_optimize.py, where user input from the db_name parameter is passed unsanitized to the sqltuningadvisor method in oracle.py for execution [1]. Attackers require knowledge of the exploited instance name defined in Archery to exploit this vulnerability [1].

Exploitation

An attacker needs knowledge of the targeted database instance name as configured in Archery. By sending a crafted request with a malicious db_name parameter value to the vulnerable endpoint, the unsanitized input is concatenated into a SQL query executed against the connected database. No authentication is mentioned, but access to the Archery web interface or API is assumed [1].

Impact

Successful exploitation leads to information disclosure; the attacker can query the connected databases, potentially extracting sensitive data stored in those databases [1]. The impact is limited to reading data, as the injection point is in a SELECT-style query context.

Mitigation

The recommended mitigation is to escape user input in the optimize_sqltuningadvisor method, specifically the db_name parameter, using functions like MySQLdb.escape() or to use prepared statements with placeholders in cursor.execute() [1]. Archery has not released a fixed version as of the advisory date (2023-04-18); users should apply the suggested code changes immediately [1].