CVE-2023-52082: 
NixOS vulnerability analysis and mitigation

Lychee, a free photo-management tool, was found to contain an SQL injection vulnerability (CVE-2023-52082) affecting versions prior to 5.0.2. The vulnerability specifically affects installations using MySQL/MariaDB and is only active when specific environment settings (DBLOGSQL=true and DBLOGSQL_EXPLAIN=true) are enabled. The vulnerability was discovered and disclosed on December 28, 2023 (NVD, GitHub Advisory).

The vulnerability is classified as a CWE-89 (SQL Injection) type weakness. It received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue affects any binding when using MySQL/MariaDB databases, but only becomes exploitable when both DBLOGSQL=true and DBLOGSQL_EXPLAIN=true are set in the .env configuration file (GitHub Advisory).

The vulnerability could potentially allow attackers to execute arbitrary SQL commands on the affected database when the specific environment settings are enabled. This could lead to unauthorized access to data, modification of database contents, and potential system compromise. The high CVSS score indicates severe potential impacts on confidentiality, integrity, and availability of the system (NVD).

The vulnerability has been patched in Lychee version 5.0.2. For users unable to upgrade immediately, a workaround is available by disabling SQL EXPLAIN logging by setting DBLOGSQL_EXPLAIN to false in the environment configuration (GitHub Advisory).