logo

Database

Remote command execution In aws-advanced-nodejs-wrapper

Description

AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance

Description of Vulnerability:

An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users.

AWS recommends that customers upgrade to the following version: AWS NodeJS Wrapper to v2.0.1.

Source of Vulnerability Report:

Allistair Ishmael Hakim [email protected]

Affected products & versions:

AWS NodeJS Wrapper < 2.0.1.

Platforms:

MacOS/Windows/Linux

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-8wj8-cfxr-93742. GCVE-GHSA-8wj8-cfxr-9374

References

1. https://github.com/aws/aws-advanced-nodejs-wrapper/security/advisories/GHSA-8wj8-cfxr-93742. https://github.com/aws/aws-advanced-nodejs-wrapper/pull/5743. https://github.com/aws/aws-advanced-nodejs-wrapper/releases/tag/2.0.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.