Multiple SQL injections in sql/data_dictionary.py table_list method in Archery - GHSL-2022-105

Vulnerability

The Archery project (tested version v1.9.0) contains SQL injection vulnerabilities in the table_list endpoint of sql/data_dictionary.py. User input from the db_name parameter is unsafely passed to the get_group_tables_by_db methods in sql/engines/mssql.py and sql/engines/oracle.py. These methods concatenate user input into SQL queries and pass them to the database engine's query method for execution, leading to SQL injection [1].

Exploitation

An attacker with network access to Archery and knowledge of an exploited instance name (defined in Archery) can exploit this vulnerability by sending a crafted db_name parameter to the table_list endpoint. The unsanitized input flows through the affected engine methods, allowing arbitrary SQL query execution on the connected databases [1].

Impact

Successful exploitation allows an attacker to query all databases connected to Archery, leading to information disclosure [1].

Mitigation

The recommended remediation is to escape user input (e.g., using MySQLdb.escape()) or use prepared statements when executing SQL queries. As of the advisory, no specific patched version is mentioned, but the issue is tracked as GHSL-2022-105 [1]. Users should apply the advisory's recommendations until a fix is released.