{"url":"http://public2.vulnerablecode.io/api/packages/61315?format=json","purl":"pkg:maven/com.yahoo.elide/elide-core@6.1.4","type":"maven","namespace":"com.yahoo.elide","name":"elide-core","version":"6.1.4","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"6.1.4","latest_non_vulnerable_version":"6.1.4","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42868?format=json","vulnerability_id":"VCID-ebvs-t25m-x7cu","summary":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\nElide is a Java library that lets you stand up a GraphQL/JSON-API web service with minimal effort. When leveraging the following together: Elide Aggregation Data Store for Analytic Queries, Parameterized Columns (A column that requires a client provided parameter), and a parameterized column of type TEXT. There is the potential for a hacker to provide a carefully crafted query that would bypass server side authorization filters through SQL injection. A recent patch to Elide 6.1.2 allowed the '-' character to be included in parameterized TEXT columns. This character can be interpreted as SQL comments ('--') and allow the attacker to remove the WHERE clause from the generated query and bypass authorization filters. A fix is provided in Elide 6.1.4. The vulnerability only exists for parameterized columns of type TEXT and only for analytic queries (CRUD is not impacted). Workarounds include leveraging a different type of parameterized column (TIME, MONEY, etc) or not leveraging parameterized columns.","references":[{"reference_url":"https://github.com/yahoo/elide/pull/2581","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/yahoo/elide/pull/2581"},{"reference_url":"https://github.com/yahoo/elide/releases/tag/6.1.4","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/yahoo/elide/releases/tag/6.1.4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24827","reference_id":"CVE-2022-24827","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24827"},{"reference_url":"https://github.com/advisories/GHSA-8xpj-9j9g-fc9r","reference_id":"GHSA-8xpj-9j9g-fc9r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-8xpj-9j9g-fc9r"},{"reference_url":"https://github.com/yahoo/elide/security/advisories/GHSA-8xpj-9j9g-fc9r","reference_id":"GHSA-8xpj-9j9g-fc9r","reference_type":"","scores":[],"url":"https://github.com/yahoo/elide/security/advisories/GHSA-8xpj-9j9g-fc9r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61315?format=json","purl":"pkg:maven/com.yahoo.elide/elide-core@6.1.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.yahoo.elide/elide-core@6.1.4"}],"aliases":["CVE-2022-24827","GHSA-8xpj-9j9g-fc9r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ebvs-t25m-x7cu"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.yahoo.elide/elide-core@6.1.4"}