CVE-2022-35942 – loopback-connector-postgresql

Package

Manager: npm
Name: loopback-connector-postgresql
Vulnerable Version: >=0 <5.5.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00277 pctl0.50715

Details

loopback-connector-postgresql Vulnerable to Improper Sanitization of `contains` Filter Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. ### Impact When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. This affects users who does any of the following: - Connect to the database via the DataSource with `allowExtendedProperties: true` setting OR - Uses the connector's CRUD methods directly OR - Uses the connector's other methods to interpret the LoopBack filter. ### Patches Patch release `loopback-connector-postgresql@5.5.1` has been published of which resolves this issue. ### Workarounds Users who are unable to upgrade should do the following if applicable: - Remove `allowExtendedProperties: true` DataSource setting - Add `allowExtendedProperties: false` DataSource setting - When passing directly to the connector functions, manually sanitize the user input for the `contains` LoopBack filter beforehand.

Metadata

Created: 2022-08-11T21:13:43Z
Modified: 2022-08-11T21:13:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-j259-6c58-9m58/GHSA-j259-6c58-9m58.json
CWE IDs: ["CWE-20", "CWE-89"]
Alternative ID: GHSA-j259-6c58-9m58
Finding: F297
Auto approve: 1