Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2023-7333

CVE-2023-7333: Records-Mover SQL Injection Vulnerability

CVE-2023-7333 is a SQL injection flaw in bluelabsio records-mover up to version 1.5.4 affecting the Table Object Handler. Attackers can exploit this locally to manipulate database queries. This article covers technical details, affected versions, impact, and mitigation steps including upgrading to version 1.6.0.

Updated:

CVE-2023-7333 Overview

A SQL injection vulnerability has been identified in bluelabsio records-mover versions up to 1.5.4. The vulnerability exists in the Table Object Handler component, where improper handling of user-controlled input allows attackers with local access to inject malicious SQL commands. This weakness stems from insufficient input validation and improper use of string concatenation for database queries instead of parameterized queries or proper ORM object usage.

Critical Impact

Local attackers with low privileges can exploit this SQL injection vulnerability to potentially read, modify, or delete database contents, compromising data integrity and confidentiality.

Affected Products

  • bluelabsio records-mover versions up to 1.5.4
  • Applications utilizing the Table Object Handler component
  • Systems with local access to the records-mover library

Discovery Timeline

  • 2026-01-07 - CVE CVE-2023-7333 published to NVD
  • 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2023-7333

Vulnerability Analysis

This vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), commonly referred to as injection vulnerabilities. The flaw resides in the Table Object Handler component of the records-mover library, where database queries were constructed using string concatenation through a custom quote_schema_and_table function rather than leveraging SQLAlchemy's built-in protection mechanisms.

The attack requires local access to execute, meaning an attacker would need to be authenticated or have some level of access to the system running the vulnerable records-mover instance. While the local attack vector limits the exposure compared to network-exploitable vulnerabilities, the potential for SQL injection still presents significant risks to database integrity.

Root Cause

The root cause of this vulnerability is the improper construction of SQL queries using string manipulation functions instead of secure ORM patterns. The affected code used a quote_schema_and_table function to manually construct table references in SQL statements, which failed to properly sanitize or parameterize user-controlled input. This approach bypassed SQLAlchemy's built-in SQL injection protections.

The security fix replaces these manual string operations with proper SQLAlchemy Table objects and the select function, which automatically handle escaping and parameterization, preventing malicious SQL from being injected.

Attack Vector

The vulnerability can be exploited by a local attacker who can influence the table names or schema references processed by the records-mover library. By crafting malicious input containing SQL metacharacters and injection payloads, an attacker could manipulate database queries to:

  • Extract sensitive data from the database
  • Modify or delete existing records
  • Potentially escalate privileges within the database context

The attack requires local access to the system and low-level privileges, making it suitable for insider threat scenarios or exploitation following initial compromise.

python
# Security patch showing transition from vulnerable to secure code
# Source: https://github.com/bluelabsio/records-mover/commit/3f8383aa89f45d861ca081e3e9fd2cc9d0b5dfaa

# BEFORE (vulnerable) - Using manual string quoting
from records_mover.db.quoting import quote_schema_and_table

# AFTER (secure) - Using SQLAlchemy Table objects
from sqlalchemy import select
from sqlalchemy.schema import Table, Column

Source: GitHub Commit Update

python
# Additional patch in records_mover/records/prep.py
# BEFORE
from sqlalchemy import text

# AFTER - Proper use of Table objects for SQL injection prevention
from sqlalchemy import text, Table, MetaData
from sqlalchemy.schema import DropTable

Source: GitHub Commit Update

Detection Methods for CVE-2023-7333

Indicators of Compromise

  • Unusual database query patterns containing SQL metacharacters in table name parameters
  • Error logs showing SQL syntax errors from malformed injection attempts
  • Unexpected database access patterns or data modifications
  • Audit logs showing queries with concatenated SQL commands in table references

Detection Strategies

  • Monitor application logs for SQL errors or unusual query patterns involving the records-mover library
  • Implement database activity monitoring to detect anomalous SELECT, INSERT, UPDATE, or DELETE operations
  • Review code dependencies to identify if vulnerable versions (<= 1.5.4) of records-mover are in use
  • Deploy static application security testing (SAST) tools to scan for SQL injection patterns

Monitoring Recommendations

  • Enable verbose database query logging to capture potential injection attempts
  • Configure alerting for SQL syntax errors that may indicate failed injection attacks
  • Monitor for unusual data access patterns that could indicate successful exploitation
  • Implement runtime application self-protection (RASP) to detect and block injection attempts

How to Mitigate CVE-2023-7333

Immediate Actions Required

  • Upgrade bluelabsio records-mover to version 1.6.0 or later immediately
  • Review application logs for any signs of exploitation attempts
  • Audit database contents for unauthorized modifications if exploitation is suspected
  • Implement input validation at the application layer as defense-in-depth

Patch Information

The vulnerability has been addressed in records-mover version 1.6.0. The fix (commit 3f8383aa89f45d861ca081e3e9fd2cc9d0b5dfaa) replaces the vulnerable quote_schema_and_table function with proper SQLAlchemy Table objects, ensuring that all database interactions are properly parameterized and protected against SQL injection.

For detailed patch information, refer to:

Workarounds

  • Restrict local access to systems running records-mover to trusted users only
  • Implement network segmentation to limit database access from potentially compromised systems
  • Apply principle of least privilege to database accounts used by records-mover
  • Deploy web application firewalls (WAF) with SQL injection detection rules if the application is network-accessible
bash
# Upgrade records-mover to patched version
pip install --upgrade records-mover>=1.6.0

# Verify installed version
pip show records-mover | grep Version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne