CVE-2023-47128 : Security Advisory and Response

Piccolo SQL Injection via named transaction savepoints is a critical vulnerability that affects versions of piccolo prior to 1.1.1. This vulnerability allows for SQL Injection via f-strings, potentially granting malicious users direct access to the database and the ability to modify data.

Understanding CVE-2023-47128

Piccolo is an object-relational mapping and query builder supporting asyncio. The vulnerability stems from the mishandling of named transaction

savepoints

in all database implementations.

What is CVE-2023-47128?

Prior to version 1.1.1, Piccolo is vulnerable to SQL Injection via named transaction

savepoints

. This could allow malicious users to access the database and modify data.

The Impact of CVE-2023-47128

The exploitation of this vulnerability could lead to severe consequences, such as reading all data stored in the database, inserting arbitrary data, modifying existing records, and potentially gaining access to the underlying server through a shell.

Technical Details of CVE-2023-47128

The vulnerability is assessed with a CVSSv3.1 base score of 9.1 (Critical). The attack complexity is low, requires no privileges, and has high impacts on confidentiality and integrity. The vulnerability occurs over a network without user interaction.

Vulnerability Description

Piccolo mishandles named transaction

savepoints

, exposing a potential SQL Injection vulnerability via f-strings.

Affected Systems and Versions

Vendor: piccolo-orm Product: piccolo Versions Affected: < 1.1.1

Exploitation Mechanism

The vulnerability could be exploited by malicious users to execute SQL Injection via the

savepoints

name

parameter, potentially leading to unauthorized access to the database.

Mitigation and Prevention

It is crucial to take immediate steps to mitigate the risk and prevent exploitation of CVE-2023-47128.

Immediate Steps to Take

Update Piccolo to version 1.1.1 or newer to address this vulnerability. Implement input validation to prevent SQL Injection attacks.

Long-Term Security Practices

Developers should follow secure coding practices, conduct regular security assessments, and stay informed about potential vulnerabilities in third-party libraries.

Patching and Updates

Stay informed about security advisories and updates from piccolo-orm. Regularly update dependencies to ensure your software remains secure.