CVE-2022-24827

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-24827

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24827.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-24827

Aliases

GHSA-8xpj-9j9g-fc9r

Published

2022-04-11T21:15:08Z

Modified

2024-05-14T11:41:33.024930Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Elide is a Java library that lets you stand up a GraphQL/JSON-API web service with minimal effort. When leveraging the following together: Elide Aggregation Data Store for Analytic Queries, Parameterized Columns (A column that requires a client provided parameter), and a parameterized column of type TEXT. There is the potential for a hacker to provide a carefully crafted query that would bypass server side authorization filters through SQL injection. A recent patch to Elide 6.1.2 allowed the '-' character to be included in parameterized TEXT columns. This character can be interpreted as SQL comments ('--') and allow the attacker to remove the WHERE clause from the generated query and bypass authorization filters. A fix is provided in Elide 6.1.4. The vulnerability only exists for parameterized columns of type TEXT and only for analytic queries (CRUD is not impacted). Workarounds include leveraging a different type of parameterized column (TIME, MONEY, etc) or not leveraging parameterized columns.

References

Affected packages

Git / github.com/yahoo/elide

Affected ranges

Type: GIT
Repo: https://github.com/yahoo/elide
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

39c3d19b0a0f20c9a106a4fe1fe9fc321dd5ab15

Affected versions

1.*

1.0.0.10

1.0.0.11

1.0.0.12

1.0.0.13

1.0.0.14

1.0.0.15

1.0.0.16

1.0.0.17

1.0.0.18

1.0.0.19

1.0.0.20

1.0.0.21

1.0.0.22

1.0.0.23

1.0.0.24

1.0.0.25

1.0.0.4

1.0.0.5

1.0.0.6

1.0.0.7

1.0.0.8

1.0.0.9

2.*

2.0.0

2.0.1

2.0.10

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.1.0

2.2.0

2.2.1

2.2.2

2.3.0

2.3.1

2.3.10

2.3.11

2.3.12

2.3.13

2.3.14

2.3.15

2.3.16

2.3.17

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.4.0

2.4.1

2.4.10

2.4.11

2.4.12

2.4.13

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.4.9

2.5.0

2.5.1

2.5.2

3.*

3.0.0

3.0.1

3.0.10

3.0.11

3.0.12

3.0.13

3.0.14

3.0.15

3.0.16

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.2.0

4.*

4.0-alpha-2

4.0-alpha-3

4.0-beta-1

4.0-beta-2

4.0-beta-3

4.0-beta-4

4.0-beta-5

4.0.0

4.0.1

4.0.2

4.1.0

4.2.0

4.2.1

4.2.10

4.2.11

4.2.12

4.2.13

4.2.14

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

4.2.9

4.3.0

4.3.1

4.3.2

4.3.3

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.5.0

4.5.1

4.5.10

4.5.11

4.5.12

4.5.13

4.5.14

4.5.15

4.5.16

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.7

4.5.8

4.5.9

4.6.0

4.6.1

4.6.2

4.6.3

4.6.4

4.6.5

4.6.6

4.6.7

4.6.8

5.*

5.0.0

5.0.0-pr30

5.0.0-pr31

5.0.0-pr32

5.0.0-pr33

5.0.0-pr34

5.0.1

5.0.10

5.0.11

5.0.12

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

6.*

6.0.0

6.0.0-pr1

6.0.0-pr2

6.0.0-pr3

6.0.0-pr4

6.0.0-pr5

6.0.0-pr6

6.0.0-pr7

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.1.0

6.1.1

6.1.2

6.1.3

elide-parent-pom-1.*

elide-parent-pom-1.0.0.0

elide-parent-pom-1.0.0.1

elide-parent-pom-1.0.0.3