CVE-2023-36830

CVSS Score of 10 (low)

Details

Published Jul 6, 2023
Updated: Jul 13, 2023
CWE ID 74

Summary

CVE-2023-36830 is a vulnerability in SQLFluff, a SQL linter. Versions prior to 2.1.2 allow untrusted users with access to config files to execute arbitrary Python code via macros using the `library_path` config value. This could pose a security risk in larger user bases or when SQLFluff is bundled into another tool where developers want users to supply their own rule configuration. The vulnerability can be remediated by upgrading to version 2.1.2, which introduces the `--library-path` option to overwrite the `library_path` argument provided in the config files and prevent this attack route. This vulnerability has a medium severity rating and a base score of 6.3, potentially impacting confidentiality, integrity, and availability of affected systems.

Share

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2023-36830 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options