Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-47128

Good to know:

icon
icon

Date: November 10, 2023

Piccolo is an object-relational mapping and query builder which supports asyncio. Prior to version 1.1.1, the handling of named transaction `savepoints` in all database implementations is vulnerable to SQL Injection via f-strings. While the likelihood of an end developer exposing a `savepoints` `name` parameter to a user is highly unlikely, it would not be unheard of. If a malicious user was able to abuse this functionality they would have essentially direct access to the database and the ability to modify data to the level of permissions associated with the database user. A non exhaustive list of actions possible based on database permissions is: Read all data stored in the database, including usernames and password hashes; insert arbitrary data into the database, including modifying existing records; and gain a shell on the underlying server. Version 1.1.1 fixes this issue.

Language: Python

Severity Score

Related Resources (6)

https://github.com/pypa/advisory-database/tree/main/vulns/piccolo/PYSEC-2023-241.yaml
https://github.com/piccolo-orm/piccolo/security/advisories/GHSA-xq59-7jf3-rjc6
https://nvd.nist.gov/vuln/detail/CVE-2023-47128
https://github.com/piccolo-orm/piccolo/commit/82679eb8cd1449cf31d87c9914a072e70168b6eb
https://github.com/piccolo-orm/piccolo
https://www.mend.io/vulnerability-database/CVE-2023-47128

Severity Score

Weakness Type (CWE)

SQL Injection

CWE-89

Top Fix

icon

Upgrade Version

Upgrade to version piccolo - 1.1.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): NONE

Do you need more information?

Contact Us