CVE-2022-24827: SQL Injection in elide-datastore-aggregation
8.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.57386%
CWE
Published
4/8/2022
Updated
1/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
com.yahoo.elide:elide-datastore-aggregation | maven | = 6.1.3 | 6.1.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from a regex change in PR #2565 that added '-' as valid in TEXT parameters. The security fix in PR #2581 reverted this regex to exclude '-', indicating the validation()
function was the injection vector. The TextType
class's value validation
directly controlled parameter sanitization for SQL generation, making it the logical vulnerable component.