CVE-2025-12743
中文标题:
(暂无数据)
英文标题:
SQL Injection in Looker Project Generation Endpoint Allows Access to Internal MySQL Database
漏洞描述
中文描述:
(暂无数据)
英文描述:
The Looker endpoint for generating new projects from database connections allows users to specify "looker" as a connection name, which is a reserved internal name for Looker's internal MySQL database. The schemas parameter is vulnerable to SQL injection, enabling attackers to manipulate SELECT queries that are constructed and executed against the internal MySQL database. This vulnerability allows users with developer permissions to extract data from Looker's internal MySQL database. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect against this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.106 * 24.18.198+ * 25.0.75 * 25.6.63+ * 25.8.45+ * 25.10.33+ * 25.12.1+ * 25.14+
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| Google Cloud | Looker | - | < 24.12.106 | - |
cpe:2.3:a:google_cloud:looker:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
4.0 (cna)
MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/U:Red
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-12743 |
2025-11-21 02:02:47 | 2026-01-12 02:10:44 |
| NVD | nvd_CVE-2025-12743 |
2025-11-20 03:00:03 | 2026-01-12 02:27:26 |
版本与语言
安全公告
变更历史
查看详细变更
- affected_products_count: 16 -> 1
- data_sources: ['cve'] -> ['cve', 'nvd']