CVE-2022-35942

Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. A patch was released in version 5.5.1. This affects users who does any of the following: - Connect to the database via the DataSource with `allowExtendedProperties: true` setting OR - Uses the connector's CRUD methods directly OR - Uses the connector's other methods to interpret the LoopBack filter. Users who are unable to upgrade should do the following if applicable: - Remove `allowExtendedProperties: true` DataSource setting - Add `allowExtendedProperties: false` DataSource setting - When passing directly to the connector functions, manually sanitize the user input for the `contains` LoopBack filter beforehand.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/loopbackio/loopback-connector-postgresql/commit/d57406c6737692a3a106b58a35406290cddb23e5	Patch Third Party Advisory
https://github.com/loopbackio/loopback-connector-postgresql/security/advisories/GHSA-j259-6c58-9m58	Mitigation Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:linuxfoundation:loopback-connector-postgresql:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2022-08-12 23:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-35942

Mitre link : CVE-2022-35942

CVE.ORG link : CVE-2022-35942

JSON object : View

Products Affected

linuxfoundation

loopback-connector-postgresql

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2022-35942", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "LOCAL", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.5}]}, "published": "2022-08-12T23:15:07.717", "references": [{"url": "https://github.com/loopbackio/loopback-connector-postgresql/commit/d57406c6737692a3a106b58a35406290cddb23e5", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/loopbackio/loopback-connector-postgresql/security/advisories/GHSA-j259-6c58-9m58", "tags": ["Mitigation", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. A patch was released in version 5.5.1. This affects users who does any of the following: - Connect to the database via the DataSource with `allowExtendedProperties: true` setting OR - Uses the connector's CRUD methods directly OR - Uses the connector's other methods to interpret the LoopBack filter. Users who are unable to upgrade should do the following if applicable: - Remove `allowExtendedProperties: true` DataSource setting - Add `allowExtendedProperties: false` DataSource setting - When passing directly to the connector functions, manually sanitize the user input for the `contains` LoopBack filter beforehand."}, {"lang": "es", "value": "Una comprobaci\u00f3n de entrada inapropiada en el filtro \"contains\" de LoopBack puede permitir la inyecci\u00f3n arbitraria de SQL. Cuando es permitido que la propiedad del filtro extendido \"contains\" sea interpretada por el conector Postgres, es posible inyectar SQL arbitrario que puede afectar a la confidencialidad e integridad de los datos almacenados en la base de datos conectada. Ha sido publicado un parche en versi\u00f3n 5.5.1. Esto afecta a usuarios que realicen cualquiera de las siguientes acciones - Son conectados a la base de datos por medio del DataSource con el ajuste \"allowExtendedProperties: true\" O - Usan los m\u00e9todos CRUD del conector directamente O - Usan otros m\u00e9todos del conector para interpretar el filtro LoopBack. Los usuarios que no puedan actualizarse deber\u00e1n hacer lo siguiente, si procede: - Eliminar el par\u00e1metro \"allowExtendedProperties: true\" de la fuente de datos - A\u00f1adir el par\u00e1metro \"allowExtendedProperties: false\" de la fuente de datos - Cuando pase directamente a las funciones del conector, sanee manualmente la entrada del usuario para el filtro \"contains\" LoopBack de antemano."}], "lastModified": "2022-08-16T16:11:07.357", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:loopback-connector-postgresql:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "D192247A-D1C7-4E2B-8C6E-684E28F4EC58", "versionEndExcluding": "5.5.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}