SQL injection in data_dictionary.py table_info method in Archery - GHSL-2022-106

Vulnerability

Archery v1.9.0 contains multiple SQL injection vulnerabilities in the sql/data_dictionary.py table_info endpoint. User-supplied input from the db_name and tb_name parameters is passed unsafely into SQL queries via methods get_table_meta_data, get_table_desc_data, and get_table_index_data in sql/engines/mssql.py and sql/engines/oracle.py [1][2]. These methods concatenate input directly into queries executed by the database engine, without sanitization or prepared statements [1].

Exploitation

An attacker needs knowledge of a valid instance name defined in Archery (e.g., the database connection name) and must be able to reach the table_info endpoint [1]. By crafting malicious values for db_name or tb_name, the attacker can inject arbitrary SQL into queries executed against MSSQL or Oracle databases connected to the platform [1]. No authentication is explicitly required to access this endpoint [2].

Impact

Successful exploitation allows the attacker to query any database connected to the Archery instance, leading to unauthorized disclosure of sensitive data stored in those databases [1]. The impact is limited to information disclosure via SQL injection; no file write or remote code execution is described in the references.

Mitigation

As of April 2023, no patched version of Archery has been released [1]. Administrators should escape user input or use prepared statements in the affected methods as a workaround [1]. The vulnerability is tracked as GHSL-2022-106 and is not listed on the CISA KEV as of this writing.