CVE-2022-41892: Arches vulnerable to execution of arbitrary SQL

November 11, 2022 (updated November 12, 2022)

Arches is a web platform for creating, managing, & visualizing geospatial data. Versions prior to 6.1.2, 6.2.1, and 7.1.2 is vulnerable to SQL Injection. With a carefully crafted web request, it’s possible to execute certain unwanted sql statements against the database. This issue is fixed in version 7.12, 6.2.1, and 6.1.2. Users are recommended to upgrade as soon as possible. There are no workarounds.

References

github.com/advisories/GHSA-gmpq-xrxj-xh8m
github.com/archesproject/arches/security/advisories/GHSA-gmpq-xrxj-xh8m
nvd.nist.gov/vuln/detail/CVE-2022-41892
pypi.org/project/arches/6.1.2/
pypi.org/project/arches/7.2.0/

Detect and mitigate CVE-2022-41892 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →