piccolo SQL Injection via named transaction savepoints
Description
Piccolo is an object-relational mapping and query builder which supports asyncio. Prior to version 1.1.1, the handling of named transaction savepoints in all database implementations is vulnerable to SQL Injection via f-strings. While the likelihood of an end developer exposing a savepoints name parameter to a user is highly unlikely, it would not be unheard of. If a malicious user was able to abuse this functionality they would have essentially direct access to the database and the ability to modify data to the level of permissions associated with the database user. A non exhaustive list of actions possible based on database permissions is: Read all data stored in the database, including usernames and password hashes; insert arbitrary data into the database, including modifying existing records; and gain a shell on the underlying server. Version 1.1.1 fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
piccoloPyPI | < 1.1.1 | 1.1.1 |
Affected products
2- Range: < 1.1.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-xq59-7jf3-rjc6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-47128ghsaADVISORY
- github.com/piccolo-orm/piccolo/commit/82679eb8cd1449cf31d87c9914a072e70168b6ebghsax_refsource_MISCWEB
- github.com/piccolo-orm/piccolo/security/advisories/GHSA-xq59-7jf3-rjc6ghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/piccolo/PYSEC-2023-241.yamlghsaWEB
News mentions
0No linked articles in our index yet.