CVE-2022-35942

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-35942
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35942.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-35942
Aliases
Published
2022-08-12T22:25:09Z
Modified
2025-12-04T10:27:23.328306Z
Severity
  • 9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
loopback-connector-postgresql Vulnerable to Improper Sanitization of `contains` Filter
Details

Improper input validation on the contains LoopBack filter may allow for arbitrary SQL injection. When the extended filter property contains is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. A patch was released in version 5.5.1. This affects users who does any of the following: - Connect to the database via the DataSource with allowExtendedProperties: true setting OR - Uses the connector's CRUD methods directly OR - Uses the connector's other methods to interpret the LoopBack filter. Users who are unable to upgrade should do the following if applicable: - Remove allowExtendedProperties: true DataSource setting - Add allowExtendedProperties: false DataSource setting - When passing directly to the connector functions, manually sanitize the user input for the contains LoopBack filter beforehand.

Database specific 
{
    "cwe_ids": [
        "CWE-89"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/35xxx/CVE-2022-35942.json"
}
References

Affected packages

Git / github.com/loopbackio/loopback-connector-postgresql

Affected ranges

Type
GIT
Repo
https://github.com/loopbackio/loopback-connector-postgresql
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
c684889a3a86f230e1642657b74ec17b572b01b4

Affected versions

v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.2.0
v1.2.1
v1.2.2
v1.3.0
v1.4.0
v1.5.0
v1.6.0
v1.6.1
v1.7.0
v1.7.1
v2.*
v2.0.0
v2.1.0
v2.2.0
v2.2.1
v2.3.0
v2.4.0
v2.4.1
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.7.0
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.1.0
v3.2.0
v3.3.0
v3.3.1
v3.3.2
v3.4.0
v3.5.0
v3.5.1
v3.6.0
v3.6.1
v3.7.0
v3.8.0
v3.8.1
v3.8.2
v3.8.3
v3.9.0
v3.9.1
v4.*
v4.0.0
v5.*
v5.0.0
v5.0.1
v5.0.2
v5.1.0
v5.2.0
v5.2.1
v5.3.0
v5.4.0
v5.5.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35942.json"