{"id":"GHSA-g7mw-9pf9-p2pm","summary":"gosqljson SQL Injection vulnerability","details":"A vulnerability, which was classified as critical, has been found in elgs gosqljson. This issue affects the function `QueryDbToArray/QueryDbToMap/ExecDb` of the file `gosqljson.go`. The manipulation of the argument sqlStatement leads to sql injection. The name of the patch is 2740b331546cb88eb61771df4c07d389e9f0363a. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217631.","aliases":["CVE-2014-125064","GO-2023-1494"],"modified":"2023-11-08T03:57:34.390027Z","published":"2023-01-07T21:30:39Z","database_specific":{"severity":"CRITICAL","nvd_published_at":"2023-01-07T20:15:00Z","cwe_ids":["CWE-89"],"github_reviewed":true,"github_reviewed_at":"2023-01-12T23:40:45Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2014-125064"},{"type":"WEB","url":"https://github.com/elgs/gosqljson/commit/2740b331546cb88eb61771df4c07d389e9f0363a"},{"type":"PACKAGE","url":"https://github.com/elgs/gosqljson"},{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2023-1494"},{"type":"WEB","url":"https://vuldb.com/?ctiid.217631"},{"type":"WEB","url":"https://vuldb.com/?id.217631"}],"affected":[{"package":{"name":"github.com/elgs/gosqljson","ecosystem":"Go","purl":"pkg:golang/github.com/elgs/gosqljson"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20220916234230-750f26ee23c7"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-g7mw-9pf9-p2pm/GHSA-g7mw-9pf9-p2pm.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}