Impact
SQL injection on any binding for any Lychee installation with 4.9.3 <= and <= 5.0.1 using mysql/mariadb.
This injection is only active for users with the following .env settings:
DB_LOG_SQL=true
DB_LOG_SQL_EXPLAIN=true
Note: The defaults settings of Lychee are safe (both are set to false).
Patches
Patch is provided on version 5.0.2.
Workarounds
Disable SQL EXPLAIN logging:
Set DB_LOG_SQL_EXPLAIN to false.
Impact
SQL injection on any binding for any Lychee installation with 4.9.3 <= and <= 5.0.1 using mysql/mariadb.
This injection is only active for users with the following
.envsettings:Note: The defaults settings of Lychee are safe (both are set to
false).Patches
Patch is provided on version 5.0.2.
Workarounds
Disable SQL EXPLAIN logging:
Set
DB_LOG_SQL_EXPLAINto false.