Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for anyquery by julien040

    CVE-2025-61679 (GCVE-0-2025-61679)

    Vulnerability from nvd – Published: 2025-10-03 21:27 – Updated: 2025-10-06 15:42
    VLAI
    Title
    Anyquery Unauthenticated Access Vulnerability Exposes Private Integration Data
    Summary
    Anyquery is an SQL query engine built on top of SQLite. Versions 0.4.3 and below allow attackers who have already gained access to localhost, even with low privileges, to use the http server through the port unauthenticated, and access private integration data like emails, without any warning of a foreign login from the provider. This issue is fixed in version 0.4.4.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    julien040 anyquery Affected: < 0.4.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-61679",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-06T15:42:42.855114Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-06T15:42:51.744Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "anyquery",
              "vendor": "julien040",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.4.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Anyquery is an SQL query engine built on top of SQLite. Versions 0.4.3 and below allow attackers who have already gained access to localhost, even with low privileges, to use the http server through the port unauthenticated, and access private integration data like emails, without any warning of a foreign login from the provider. This issue is fixed in version 0.4.4."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-03T21:27:35.612Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/julien040/anyquery/security/advisories/GHSA-5f7p-rhmq-hvc7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/julien040/anyquery/security/advisories/GHSA-5f7p-rhmq-hvc7"
            },
            {
              "name": "https://github.com/julien040/anyquery/commit/43cd8bd3354b9725b245a2354b08e1c9be1cc1d3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/julien040/anyquery/commit/43cd8bd3354b9725b245a2354b08e1c9be1cc1d3"
            },
            {
              "name": "https://github.com/julien040/anyquery/releases/tag/0.4.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/julien040/anyquery/releases/tag/0.4.4"
            }
          ],
          "source": {
            "advisory": "GHSA-5f7p-rhmq-hvc7",
            "discovery": "UNKNOWN"
          },
          "title": "Anyquery Unauthenticated Access Vulnerability Exposes Private Integration Data"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-61679",
        "datePublished": "2025-10-03T21:27:35.612Z",
        "dateReserved": "2025-09-29T20:25:16.181Z",
        "dateUpdated": "2025-10-06T15:42:51.744Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-61679 (GCVE-0-2025-61679)

    Vulnerability from cvelistv5 – Published: 2025-10-03 21:27 – Updated: 2025-10-06 15:42
    VLAI
    Title
    Anyquery Unauthenticated Access Vulnerability Exposes Private Integration Data
    Summary
    Anyquery is an SQL query engine built on top of SQLite. Versions 0.4.3 and below allow attackers who have already gained access to localhost, even with low privileges, to use the http server through the port unauthenticated, and access private integration data like emails, without any warning of a foreign login from the provider. This issue is fixed in version 0.4.4.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    julien040 anyquery Affected: < 0.4.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-61679",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-06T15:42:42.855114Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-06T15:42:51.744Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "anyquery",
              "vendor": "julien040",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.4.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Anyquery is an SQL query engine built on top of SQLite. Versions 0.4.3 and below allow attackers who have already gained access to localhost, even with low privileges, to use the http server through the port unauthenticated, and access private integration data like emails, without any warning of a foreign login from the provider. This issue is fixed in version 0.4.4."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-03T21:27:35.612Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/julien040/anyquery/security/advisories/GHSA-5f7p-rhmq-hvc7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/julien040/anyquery/security/advisories/GHSA-5f7p-rhmq-hvc7"
            },
            {
              "name": "https://github.com/julien040/anyquery/commit/43cd8bd3354b9725b245a2354b08e1c9be1cc1d3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/julien040/anyquery/commit/43cd8bd3354b9725b245a2354b08e1c9be1cc1d3"
            },
            {
              "name": "https://github.com/julien040/anyquery/releases/tag/0.4.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/julien040/anyquery/releases/tag/0.4.4"
            }
          ],
          "source": {
            "advisory": "GHSA-5f7p-rhmq-hvc7",
            "discovery": "UNKNOWN"
          },
          "title": "Anyquery Unauthenticated Access Vulnerability Exposes Private Integration Data"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-61679",
        "datePublished": "2025-10-03T21:27:35.612Z",
        "dateReserved": "2025-09-29T20:25:16.181Z",
        "dateUpdated": "2025-10-06T15:42:51.744Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }