CVE-2023-7333 Overview
A SQL injection vulnerability has been identified in bluelabsio records-mover versions up to 1.5.4. The vulnerability exists in the Table Object Handler component, where improper handling of user-controlled input allows attackers with local access to inject malicious SQL commands. This weakness stems from insufficient input validation and improper use of string concatenation for database queries instead of parameterized queries or proper ORM object usage.
Critical Impact
Local attackers with low privileges can exploit this SQL injection vulnerability to potentially read, modify, or delete database contents, compromising data integrity and confidentiality.
Affected Products
- bluelabsio records-mover versions up to 1.5.4
- Applications utilizing the Table Object Handler component
- Systems with local access to the records-mover library
Discovery Timeline
- 2026-01-07 - CVE CVE-2023-7333 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2023-7333
Vulnerability Analysis
This vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), commonly referred to as injection vulnerabilities. The flaw resides in the Table Object Handler component of the records-mover library, where database queries were constructed using string concatenation through a custom quote_schema_and_table function rather than leveraging SQLAlchemy's built-in protection mechanisms.
The attack requires local access to execute, meaning an attacker would need to be authenticated or have some level of access to the system running the vulnerable records-mover instance. While the local attack vector limits the exposure compared to network-exploitable vulnerabilities, the potential for SQL injection still presents significant risks to database integrity.
Root Cause
The root cause of this vulnerability is the improper construction of SQL queries using string manipulation functions instead of secure ORM patterns. The affected code used a quote_schema_and_table function to manually construct table references in SQL statements, which failed to properly sanitize or parameterize user-controlled input. This approach bypassed SQLAlchemy's built-in SQL injection protections.
The security fix replaces these manual string operations with proper SQLAlchemy Table objects and the select function, which automatically handle escaping and parameterization, preventing malicious SQL from being injected.
Attack Vector
The vulnerability can be exploited by a local attacker who can influence the table names or schema references processed by the records-mover library. By crafting malicious input containing SQL metacharacters and injection payloads, an attacker could manipulate database queries to:
- Extract sensitive data from the database
- Modify or delete existing records
- Potentially escalate privileges within the database context
The attack requires local access to the system and low-level privileges, making it suitable for insider threat scenarios or exploitation following initial compromise.
# Security patch showing transition from vulnerable to secure code
# Source: https://github.com/bluelabsio/records-mover/commit/3f8383aa89f45d861ca081e3e9fd2cc9d0b5dfaa
# BEFORE (vulnerable) - Using manual string quoting
from records_mover.db.quoting import quote_schema_and_table
# AFTER (secure) - Using SQLAlchemy Table objects
from sqlalchemy import select
from sqlalchemy.schema import Table, Column
Source: GitHub Commit Update
# Additional patch in records_mover/records/prep.py
# BEFORE
from sqlalchemy import text
# AFTER - Proper use of Table objects for SQL injection prevention
from sqlalchemy import text, Table, MetaData
from sqlalchemy.schema import DropTable
Source: GitHub Commit Update
Detection Methods for CVE-2023-7333
Indicators of Compromise
- Unusual database query patterns containing SQL metacharacters in table name parameters
- Error logs showing SQL syntax errors from malformed injection attempts
- Unexpected database access patterns or data modifications
- Audit logs showing queries with concatenated SQL commands in table references
Detection Strategies
- Monitor application logs for SQL errors or unusual query patterns involving the records-mover library
- Implement database activity monitoring to detect anomalous SELECT, INSERT, UPDATE, or DELETE operations
- Review code dependencies to identify if vulnerable versions (<= 1.5.4) of records-mover are in use
- Deploy static application security testing (SAST) tools to scan for SQL injection patterns
Monitoring Recommendations
- Enable verbose database query logging to capture potential injection attempts
- Configure alerting for SQL syntax errors that may indicate failed injection attacks
- Monitor for unusual data access patterns that could indicate successful exploitation
- Implement runtime application self-protection (RASP) to detect and block injection attempts
How to Mitigate CVE-2023-7333
Immediate Actions Required
- Upgrade bluelabsio records-mover to version 1.6.0 or later immediately
- Review application logs for any signs of exploitation attempts
- Audit database contents for unauthorized modifications if exploitation is suspected
- Implement input validation at the application layer as defense-in-depth
Patch Information
The vulnerability has been addressed in records-mover version 1.6.0. The fix (commit 3f8383aa89f45d861ca081e3e9fd2cc9d0b5dfaa) replaces the vulnerable quote_schema_and_table function with proper SQLAlchemy Table objects, ensuring that all database interactions are properly parameterized and protected against SQL injection.
For detailed patch information, refer to:
Workarounds
- Restrict local access to systems running records-mover to trusted users only
- Implement network segmentation to limit database access from potentially compromised systems
- Apply principle of least privilege to database accounts used by records-mover
- Deploy web application firewalls (WAF) with SQL injection detection rules if the application is network-accessible
# Upgrade records-mover to patched version
pip install --upgrade records-mover>=1.6.0
# Verify installed version
pip show records-mover | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
