CVE-2023-52082

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52082
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52082.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52082
Related
  • GHSA-rjwv-5j3m-p5x4
Published
2023-12-28T16:16:02Z
Modified
2025-01-15T05:03:13.864629Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Lychee is a free photo-management tool. Prior to 5.0.2, Lychee is vulnerable to an SQL injection on any binding when using mysql/mariadb. This injection is only active for users with the .env settings set to DBLOGSQL=true and DBLOGSQL_EXPLAIN=true. The defaults settings of Lychee are safe. The patch is provided on version 5.0.2. To work around this issue, disable SQL EXPLAIN logging.

References

Affected packages

Git / github.com/lycheeorg/lychee

Affected ranges

Type
GIT
Repo
https://github.com/lycheeorg/lychee
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

v4.*

v4.0.0
v4.0.0-alpha.1
v4.0.0-beta.1
v4.0.0-beta.2
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.1.0
v4.10.0
v4.11.0
v4.11.1
v4.12.0
v4.13.0
v4.2.0
v4.2.1
v4.2.2
v4.3.0
v4.3.4
v4.3.5
v4.3.6
v4.4.0
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.6.0
v4.6.0-RC
v4.6.0-RC2
v4.6.0-RC3
v4.6.1
v4.6.1-RC1
v4.6.1-RC2
v4.6.2
v4.6.2-RC1
v4.6.2-RC2
v4.6.3-RC1
v4.6.4
v4.6.5
v4.7.0
v4.7.1
v4.7.2
v4.7.3
v4.7.4
v4.8.0
v4.8.1
v4.9.0
v4.9.1
v4.9.2
v4.9.3
v4.9.3-RC
v4.9.4

v5.*

v5.0.0
v5.0.0-beta
v5.0.1