8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24827

GHSA ID

GHSA-8xpj-9j9g-fc9r

EPSS Score

0.57386%

CWE

CWE-89

Published

4/8/2022

Updated

1/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-24827

CVE-2022-24827: SQL Injection in elide-datastore-aggregation

Impact

When leveraging the following together:

Elide Aggregation Data Store for Analytic Queries
Parameterized Columns (A column that requires a client provided parameter)
A parameterized column of type TEXT

There is the potential for a hacker to provide a carefully crafted query that would bypass server side authorization filters through SQL injection. A recent patch to Elide 6.1.2 allowed the '-' character to be included in parameterized TEXT columns. This character can be interpreted as SQL comments ('--') and allow the attacker to remove the WHERE clause from the generated query and bypass authorization filters.

Patches

A fix is provided in Elide 6.1.4.

Workarounds

The vulnerability only exists for parameterized columns of type TEXT and only for analytic queries (CRUD is not impacted). Workarounds include leveraging a different type of parameterized column (TIME, MONEY, etc) or not leveraging parameterized columns.

For more information

If you have any questions or comments about this advisory:

Open an issue in elide
Contact us in Discord

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24827

GHSA ID

GHSA-8xpj-9j9g-fc9r

EPSS Score

0.57386%

CWE

CWE-89

Published

4/8/2022

Updated

1/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.yahoo.elide:elide-datastore-aggregation	maven	= 6.1.3	6.1.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from a regex change in PR #2565 that added '-' as valid in TEXT parameters. The security fix in PR #2581 reverted this regex to exclude '-', indicating the validation() function was the injection vector. The TextType class's value validation directly controlled parameter sanitization for SQL generation, making it the logical vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n l*v*r**in* t** *ollowin* to**t**r: - *li** ***r***tion **t* Stor* *or *n*lyti* Qu*ri*s - P*r*m*t*riz** *olumns (* *olumn t**t r*quir*s * *li*nt provi*** p*r*m*t*r) - * p*r*m*t*riz** *olumn o* typ* T*XT T**r* is t** pot*nti*l *or * *

Reasoning

T** vuln*r**ility st*mm** *rom * r***x ***n** in PR #**** t**t ***** '-' *s v*li* in T*XT p*r*m*t*rs. T** s**urity *ix in PR #**** r*v*rt** t*is r***x to *x*lu** '-', in*i**tin* t** `v*li**tion()` *un*tion w*s t** inj**tion v**tor. T** `T*xtTyp*` *l*

8.1

Basic Information

Concerned about an active attack path?

CVE-2022-24827: SQL Injection in elide-datastore-aggregation

Impact

Patches

Workarounds

For more information

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI