CVE-2022-41892 — Arches vulnerable to execution of arbitrary SQL

Description

Arches is a web platform for creating, managing, & visualizing geospatial data. Versions prior to 6.1.2, 6.2.1, and 7.1.2 are vulnerable to SQL Injection. With a carefully crafted web request, it's possible to execute certain unwanted sql statements against the database. This issue is fixed in version 7.12, 6.2.1, and 6.1.2. Users are recommended to upgrade as soon as possible. There are no workarounds.

How to fix CVE-2022-41892

To remediate CVE-2022-41892, upgrade the affected package to a fixed version below.

—upgrade to 6.1.2 or later
—upgrade to 6.1.2 or later

Is CVE-2022-41892 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 6.1.2
from 0, < 6.1.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-41892
ADVISORYsecuritylab.github.com/advisories/GHSL-2022-070_GHSL-2022-072_Arches
PATCHgithub.com/archesproject/arches
WEBgithub.com/archesproject/arches/commit/7ed53e23a616edf3301d95814d9d64de5e3072a9