{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-28437", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-03-15T15:59:10.054Z", "datePublished": "2023-03-24T23:43:15.992Z", "dateUpdated": "2025-02-19T20:36:49.277Z"}, "containers": {"cna": {"title": "SQL injection vulnerability due to the keyword blacklist for defending against SQL injection will be bypassed", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56"}, {"name": "https://github.com/dataease/dataease/issues/4795", "tags": ["x_refsource_MISC"], "url": "https://github.com/dataease/dataease/issues/4795"}, {"name": "https://github.com/dataease/dataease/releases/tag/v1.18.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/dataease/dataease/releases/tag/v1.18.5"}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"version": "< 1.18.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-24T23:43:15.992Z"}, "descriptions": [{"lang": "en", "value": "Dataease is an open source data visualization and analysis tool. The blacklist for SQL injection protection is missing entries. This vulnerability has been fixed in version 1.18.5. There are no known workarounds. "}], "source": {"advisory": "GHSA-7j7j-9rw6-3r56", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:38:25.347Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56"}, {"name": "https://github.com/dataease/dataease/issues/4795", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dataease/dataease/issues/4795"}, {"name": "https://github.com/dataease/dataease/releases/tag/v1.18.5", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dataease/dataease/releases/tag/v1.18.5"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-19T20:36:31.360723Z", "id": "CVE-2023-28437", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-19T20:36:49.277Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56", "name": "https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/dataease/dataease/issues/4795", "name": "https://github.com/dataease/dataease/issues/4795", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/dataease/dataease/releases/tag/v1.18.5", "name": "https://github.com/dataease/dataease/releases/tag/v1.18.5", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:38:25.347Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-28437", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-19T20:36:31.360723Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-19T20:36:41.335Z"}}], "cna": {"title": "SQL injection vulnerability due to the keyword blacklist for defending against SQL injection will be bypassed", "source": {"advisory": "GHSA-7j7j-9rw6-3r56", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"status": "affected", "version": "< 1.18.5"}]}], "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56", "name": "https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dataease/dataease/issues/4795", "name": "https://github.com/dataease/dataease/issues/4795", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/dataease/dataease/releases/tag/v1.18.5", "name": "https://github.com/dataease/dataease/releases/tag/v1.18.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Dataease is an open source data visualization and analysis tool. The blacklist for SQL injection protection is missing entries. This vulnerability has been fixed in version 1.18.5. There are no known workarounds. "}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-24T23:43:15.992Z"}}}, "cveMetadata": {"cveId": "CVE-2023-28437", "state": "PUBLISHED", "dateUpdated": "2025-02-19T20:36:49.277Z", "dateReserved": "2023-03-15T15:59:10.054Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-03-24T23:43:15.992Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "matchCriteriaId": "2A6525A4-9AFC-4166-83A7-7986DA122308", "versionEndExcluding": "1.18.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Dataease is an open source data visualization and analysis tool. The blacklist for SQL injection protection is missing entries. This vulnerability has been fixed in version 1.18.5. There are no known workarounds. "}], "id": "CVE-2023-28437", "lastModified": "2024-11-21T07:55:03.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-25T00:15:08.243", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/dataease/dataease/issues/4795"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/dataease/dataease/releases/tag/v1.18.5"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/dataease/dataease/issues/4795"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/dataease/dataease/releases/tag/v1.18.5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}