PyPi: Arches

CVE-2022-41892

Safety vulnerability ID: 54561

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Nov 11, 2022 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

### Impact
With a carefully crafted web request, it's possible to execute certain unwanted sql statements against the database.
Anyone running the impacted versions (<=6.1.1, 6.2.0, >=7.0.0, <=7.1.1) should upgrade as soon as possible.

### Patches
The problem has been patched in the following versions: [6.1.2](https://pypi.org/project/arches/6.1.2/), [6.2.1](https://pypi.org/project/arches/6.2.1/), and [7.2.0](https://pypi.org/project/arches/7.2.0/)
Users are strongly urged to upgrade to the most recent relevant patch.

### Workarounds
There are no workarounds.

### General References
https://www.w3schools.com/sql/sql_injection.asp
https://en.wikipedia.org/wiki/SQL_injection

### For more information
Post any questions to the [Arches project forum](https://community.archesproject.org/).

Affected package

arches

Latest version: 7.6.3

Arches is an open-source, web-based, geospatial information system for cultural heritage inventory and management.

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

CRITICAL 9.8

CVSS v3 Details

CRITICAL 9.8

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): HIGH
Availability Availability (A): HIGH