CVE-2022-41892

Arches vulnerable to execution of arbitrary SQL in pypi/arches

Identifiers

GHSA-gmpq-xrxj-xh8m, CVE-2022-41892

Package Slug

pypi/arches

Vulnerability

Arches vulnerable to execution of arbitrary SQL

Description

Arches is a web platform for creating, managing, & visualizing geospatial data. Versions prior to 6.1.2, 6.2.1, and 7.1.2 is vulnerable to SQL Injection. With a carefully crafted web request, it's possible to execute certain unwanted sql statements against the database. This issue is fixed in version 7.12, 6.2.1, and 6.1.2. Users are recommended to upgrade as soon as possible. There are no workarounds.

Affected Versions

All versions up to 6.1.1, version 6.2.0, all versions starting from 7.0.0 up to 7.1.1

Solution

Upgrade to versions 6.1.2, 6.2.1, 7.2.0 or above.

Last Modified

2022-11-13

source