Multiple SQL injections in sql/instance.py param_edit method in Archery - GHSL-2022-104

Vulnerability

Archery v1.9.0 (and possibly earlier versions) contains multiple SQL injection vulnerabilities in the sql/instance.py param_edit endpoint. User-supplied input from the variable_name and variable_value parameters is passed unsanitized to the set_variable and get_variables methods in sql/engines/goinception.py and sql/engines/mysql.py. These methods concatenate the input directly into SQL queries, which are then executed against the connected databases via the query method of each engine [1][2].

Exploitation

An attacker with network access to the Archery web interface and knowledge of a valid instance name (defined in Archery) can send crafted requests to the param_edit endpoint. By injecting malicious SQL into the variable_name or variable_value parameters, the attacker can manipulate the resulting SQL query executed on the target database [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries on any database connected to Archery. This can lead to unauthorized data disclosure, modification, or deletion, potentially compromising the confidentiality, integrity, and availability of the managed databases [1].

Mitigation

As of the advisory publication date (2023-04-18), no official patched version has been released. The recommended mitigation is to escape user input or use prepared statements when constructing SQL queries in the affected methods. Administrators should monitor the Archery repository for updates and apply any security fixes promptly [1].