CVE-2022-24827: 
Java vulnerability analysis and mitigation

Elide, a Java library for creating GraphQL/JSON-API web services, was found to contain a SQL injection vulnerability (CVE-2022-24827) discovered in April 2022. The vulnerability affects version 6.1.3 and earlier versions when using Elide Aggregation Data Store for Analytic Queries with parameterized TEXT columns (GitHub Advisory).

The vulnerability stems from a patch in Elide 6.1.2 that allowed the '-' character to be included in parameterized TEXT columns. This character can be interpreted as SQL comments ('--') in queries, enabling attackers to craft queries that bypass server-side authorization filters through SQL injection. The vulnerability has a CVSS v3.1 Base Score of 8.1 (HIGH) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

A successful exploitation of this vulnerability could allow attackers to bypass authorization filters in the generated SQL query, potentially accessing unauthorized data. The vulnerability specifically affects analytic queries using parameterized columns of type TEXT, while CRUD operations remain unaffected (GitHub Advisory).

The vulnerability has been patched in Elide version 6.1.4. For users unable to upgrade immediately, workarounds include using a different type of parameterized column (such as TIME or MONEY) or avoiding the use of parameterized columns altogether (GitHub Advisory, Elide Release).