GHSA-crhg-xgrg-vvcc – @curveball/a12n-server

Package

Manager: npm
Name: @curveball/a12n-server
Vulnerable Version: >=0.20.0 <0.23.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

a12nserver vulnerable to potential SQL Injections via Knex dependency ### Impact Users of a12nserver that use MySQL might be vulnerable to SQL injection bugs. If you use a12nserver and MySQL, update as soon as possible. This SQL injection bug might let an attacker obtain OAuth2 Access Tokens for users unrelated to those that permitted OAuth2 clients. ### Patches The knex dependency has been updated to 2.4.0 in a12nserver 0.23.0 ### Workarounds No further workarounds ### References * https://github.com/knex/knex/issues/1227 * https://nvd.nist.gov/vuln/detail/CVE-2016-20018 * https://www.ghostccamm.com/blog/knex_sqli/

Metadata

Created: 2023-01-13T21:34:29Z
Modified: 2023-01-13T21:34:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-crhg-xgrg-vvcc/GHSA-crhg-xgrg-vvcc.json
CWE IDs: ["CWE-89"]
Alternative ID: N/A
Finding: F106
Auto approve: 1