GHSA-jfwg-rxf3-p7r9: Authorizer: CQL/N1QL Injection in Cassandra and Couchbase Backends via fmt.Sprintf String Interpolation
An unauthenticated attacker can inject arbitrary CQL operators through the email, phone, or token parameters on public-facing endpoints (signup, login, forgot_password, magic_link_login). This enables authentication bypass and data exfiltration from the Cassandra keyspace.
References
- github.com/advisories/GHSA-jfwg-rxf3-p7r9
- github.com/authorizerdev/authorizer
- github.com/authorizerdev/authorizer/commit/73679faa53cd215c7524d651046e402c43809786
- github.com/authorizerdev/authorizer/pull/500
- github.com/authorizerdev/authorizer/releases/tag/2.0.1
- github.com/authorizerdev/authorizer/security/advisories/GHSA-jfwg-rxf3-p7r9
Code Behaviors & Features
Detect and mitigate GHSA-jfwg-rxf3-p7r9 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →