This vulnerability allows attackers to execute arbitrary SQL commands against the local SQLite database used by the SciTokens KeyCache class. It occurs because unsafe string formatting is used to construct SQL queries with untrusted user input.
Remediation
Upgrade SciTokens to version 1.9.6 or later to patch this vulnerability. Restrict access to the SciTokens service to trusted users only if an immediate upgrade cannot be completed.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.