CVE-2022-24827 – com.yahoo.elide:elide-datastore-aggregation

Package

Manager: maven
Name: com.yahoo.elide:elide-datastore-aggregation
Vulnerable Version: =6.1.3 || >=6.1.3 <6.1.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00359 pctl0.57313

Details

SQL Injection in elide-datastore-aggregation ### Impact When leveraging the following together: - Elide Aggregation Data Store for Analytic Queries - Parameterized Columns (A column that requires a client provided parameter) - A parameterized column of type TEXT There is the potential for a hacker to provide a carefully crafted query that would bypass server side authorization filters through SQL injection. A recent patch to Elide 6.1.2 allowed the '-' character to be included in parameterized TEXT columns. This character can be interpreted as SQL comments ('--') and allow the attacker to remove the WHERE clause from the generated query and bypass authorization filters. ### Patches A [fix](https://github.com/yahoo/elide/pull/2581) is provided in [Elide 6.1.4](https://github.com/yahoo/elide/releases/tag/6.1.4). ### Workarounds The vulnerability only exists for parameterized columns of type TEXT and only for analytic queries (CRUD is not impacted). Workarounds include leveraging a different type of parameterized column (TIME, MONEY, etc) or not leveraging parameterized columns. ### For more information If you have any questions or comments about this advisory: * Open an issue in [elide](https://github.com/yahoo/elide) * Contact us in [Discord](https://discord.com/invite/3vh8ac57cc)

Metadata

Created: 2022-04-08T22:43:17Z
Modified: 2022-04-18T22:19:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-8xpj-9j9g-fc9r/GHSA-8xpj-9j9g-fc9r.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-8xpj-9j9g-fc9r
Finding: F297
Auto approve: 1