CVE-2022-3799: 
vulnerability analysis and mitigation

A critical SQL injection vulnerability was identified in IBAX go-ibax affecting the /api/v2 endpoint. The vulnerability, tracked as CVE-2022-3799, was discovered and reported on October 18, 2022. The issue affects the database-related functionality in the IBAX platform, specifically in the tablesInfo and columnsInfo API endpoints (GitHub Issue).

The vulnerability exists in two locations within the go-ibax/packages/api/database.go file. The first instance is on line 92, where user input is directly interpolated into an SQL query for table information. The second instance occurs on line 120, where similar unsafe string formatting is used for column information queries. Both vulnerabilities allow for SQL injection through unvalidated user input in the order and table_name parameters (GitHub Issue).

The SQL injection vulnerabilities could allow attackers to execute arbitrary SQL commands on the underlying database. This could potentially lead to unauthorized access to data, manipulation of database contents, or execution of malicious commands. The vulnerability was demonstrated using pg_sleep() function, which could be used for time-based SQL injection attacks (GitHub Issue).

The vulnerability was reported through the project's GitHub issue tracker. While specific patch information is not publicly available in the search results, standard SQL injection mitigation practices such as using prepared statements, input validation, and parameterized queries should be implemented (GitHub Issue).