GHSA-j259-6c58-9m58
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j259-6c58-9m58
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-j259-6c58-9m58/GHSA-j259-6c58-9m58.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j259-6c58-9m58
- Aliases
- Published
- 2022-08-11T21:13:43Z
- Modified
- 2023-11-08T04:09:53.649923Z
- Severity
-
- 9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- loopback-connector-postgresql Vulnerable to Improper Sanitization of `contains` Filter
- Details
-
Improper input validation on the
containsLoopBack filter may allow for arbitrary SQL injection.Impact
When the extended filter property
containsis permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database.This affects users who does any of the following:
- Connect to the database via the DataSource with
allowExtendedProperties: truesetting OR - Uses the connector's CRUD methods directly OR
- Uses the connector's other methods to interpret the LoopBack filter.
Patches
Patch release
loopback-connector-postgresql@5.5.1has been published of which resolves this issue.Workarounds
Users who are unable to upgrade should do the following if applicable:
- Remove
allowExtendedProperties: trueDataSource setting - Add
allowExtendedProperties: falseDataSource setting - When passing directly to the connector functions, manually sanitize the user input for the
containsLoopBack filter beforehand.
- Connect to the database via the DataSource with
- Database specific
{ "nvd_published_at": "2022-08-12T23:15:00Z", "github_reviewed_at": "2022-08-11T21:13:43Z", "cwe_ids": [ "CWE-20", "CWE-89" ], "severity": "CRITICAL", "github_reviewed": true }- References
-
- https://github.com/loopbackio/loopback-connector-postgresql/security/advisories/GHSA-j259-6c58-9m58
- https://nvd.nist.gov/vuln/detail/CVE-2022-35942
- https://github.com/loopbackio/loopback-connector-postgresql/commit/d57406c6737692a3a106b58a35406290cddb23e5
- https://github.com/loopbackio/loopback-connector-postgresql
Affected packages
npm / loopback-connector-postgresql
Package
- Name
- loopback-connector-postgresql
- View open source insights on deps.dev
- Purl
- pkg:npm/loopback-connector-postgresql