CVE-2023-52082

Lychee is a free photo-management tool.  Prior to 5.0.2, Lychee is vulnerable to an SQL injection on any binding when using mysql/mariadb. This injection is only active for users with the `.env` settings set to DB_LOG_SQL=true and DB_LOG_SQL_EXPLAIN=true. The defaults settings of Lychee are safe.  The patch is provided on version 5.0.2.  To work around this issue, disable SQL EXPLAIN logging.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
GitHub_MCNA
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 58%
VendorProductVersion
lycheeorglychee
4.9.3 ≤
𝑥
< 5.0.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/LycheeOrg/Lychee/commit/33354a2ce7cf700cc4ee537b7b8b94dfc1e84ad4
https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-rjwv-5j3m-p5x4
https://github.com/LycheeOrg/Lychee/commit/33354a2ce7cf700cc4ee537b7b8b94dfc1e84ad4
https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-rjwv-5j3m-p5x4