{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-41892", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2022-11-11T00:00:00", "dateReserved": "2022-09-30T00:00:00", "datePublished": "2022-11-11T00:00:00"}, "containers": {"cna": {"title": "Arches vulnerable to SQL Injection", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-11-11T00:00:00"}, "descriptions": [{"lang": "en", "value": "Arches is a web platform for creating, managing, & visualizing geospatial data. Versions prior to 6.1.2, 6.2.1, and 7.1.2 are vulnerable to SQL Injection. With a carefully crafted web request, it's possible to execute certain unwanted sql statements against the database. This issue is fixed in version 7.12, 6.2.1, and 6.1.2. Users are recommended to upgrade as soon as possible. There are no workarounds."}], "affected": [{"vendor": "archesproject", "product": "arches", "versions": [{"version": "<= 6.1.2", "status": "affected"}, {"version": ">= 6.2.0, < 6.2.1", "status": "affected"}, {"version": ">= 7.0.0, < 7.1.2", "status": "affected"}]}], "references": [{"url": "https://github.com/archesproject/arches/security/advisories/GHSA-gmpq-xrxj-xh8m"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89"}]}], "source": {"advisory": "GHSA-gmpq-xrxj-xh8m", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:archesproject:arches:*:*:*:*:*:*:*:*", "matchCriteriaId": "21BB1B47-4586-4F5F-A4C3-A7ADCFA79DC3", "versionEndIncluding": "6.1.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:archesproject:arches:6.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "E7A5A39D-379C-47BA-81B9-1AEC7808EE5D", "vulnerable": true}, {"criteria": "cpe:2.3:a:archesproject:arches:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "5B614BF2-A773-4E7C-8514-70860A6D7C02", "vulnerable": true}, {"criteria": "cpe:2.3:a:archesproject:arches:7.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "33E271C0-E2F0-484A-80B2-D2101FF67ECE", "vulnerable": true}, {"criteria": "cpe:2.3:a:archesproject:arches:7.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "9F04CFEA-BC99-4DFC-9DBE-3947DAECD27C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Arches is a web platform for creating, managing, & visualizing geospatial data. Versions prior to 6.1.2, 6.2.1, and 7.1.2 are vulnerable to SQL Injection. With a carefully crafted web request, it's possible to execute certain unwanted sql statements against the database. This issue is fixed in version 7.12, 6.2.1, and 6.1.2. Users are recommended to upgrade as soon as possible. There are no workarounds."}, {"lang": "es", "value": "Arches es una plataforma web para crear, gestionar y administrar visualizaci\u00f3n de datos geoespaciales. Las versiones anteriores a 6.1.2, 6.2.1 y 7.1.2 son vulnerables a la inyecci\u00f3n SQL. Con una solicitud web cuidadosamente manipulada, es posible ejecutar ciertas declaraciones SQL no deseadas en la base de datos. Este problema se solucion\u00f3 en las versiones 7.12, 6.2.1 y 6.1.2. Se recomienda a los usuarios que actualicen lo antes posible. No hay workarounds."}], "id": "CVE-2022-41892", "lastModified": "2022-11-16T02:35:49.287", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-11-11T04:15:12.567", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/archesproject/arches/security/advisories/GHSA-gmpq-xrxj-xh8m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}