CVE-2023-36830

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-36830

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-36830.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-36830

Aliases

Related

Published

2023-07-06T16:15:10Z

Modified

2025-05-28T10:35:58.508002Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

SQLFluff is a SQL linter. Prior to version 2.1.2, in environments where untrusted users have access to the config files, there is a potential security vulnerability where those users could use the library_path config value to allow arbitrary python code to be executed via macros. For many users who use SQLFluff in the context of an environment where all users already have fairly escalated privileges, this may not be an issue - however in larger user bases, or where SQLFluff is bundled into another tool where developers still wish to give users access to supply their on rule configuration, this may be an issue.

The 2.1.2 release offers the ability for the library_path argument to be overwritten on the command line by using the --library-path option. This overrides any values provided in the config files and effectively prevents this route of attack for users which have access to the config file, but not to the scripts which call the SQLFluff CLI directly. A similar option is provided for the Python API, where users also have a greater ability to further customise or override configuration as necessary. Unless library_path is explicitly required, SQLFluff maintainers recommend using the option --library-path none when invoking SQLFluff which will disable the library-path option entirely regardless of the options set in the configuration file or via inline config directives. As a workaround, limiting access to - or otherwise validating configuration files before they are ingested by SQLFluff will provides a similar effect and does not require upgrade.

References

Affected packages

Debian:12 / sqlfluff

Package

Name: sqlfluff
Purl: pkg:deb/debian/sqlfluff?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.4.5-2

2.*

2.3.5-1

3.*

3.2.5-1

3.2.5-2

3.3.0-1

3.3.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / sqlfluff

Package

Name: sqlfluff
Purl: pkg:deb/debian/sqlfluff?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.5-1

Affected versions

1.*

1.4.5-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/sqlfluff/sqlfluff

Affected ranges

Type: GIT
Repo: https://github.com/sqlfluff/sqlfluff
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

653ee67d3e37462c6d5231a41aa15494f8d874e3

Fixed

653ee67d3e37462c6d5231a41aa15494f8d874e3

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.0.6

0.0.7

0.1.0

0.1.4

0.1.5

0.10.0

0.10.1

0.11.0

0.11.1

0.11.2

0.12.0

0.13.0

0.13.1

0.13.2

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.4.0

0.4.0a1

0.4.0a2

0.4.0a3

0.4.1

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.5.6

0.6.0

0.6.0a1

0.6.0a2

0.6.1

0.6.2

0.6.3

0.6.4

0.6.5

0.6.6

0.6.7

0.6.8

0.6.9

0.7.0

0.7.0a1

0.7.0a2

0.7.0a5

0.7.0a6

0.7.0a7

0.7.0a8

0.7.1

0.8.0

0.8.1

0.8.2

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

1.*

1.0.0

1.1.0

1.2.0

1.2.1

1.3.0

1.3.1

1.3.2

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

2.*

2.0.0

2.0.0a1

2.0.0a2

2.0.0a3

2.0.0a4

2.0.0a5

2.0.0a6

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.1.0

2.1.1

Other

untagged-0ddecca233f58d1186e1

untagged-1900b8efc1b9d793637f

untagged-eb9d263623ead02fd9ca