Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhxaDgtNWozNi00NTU2

SQL Injection in connect-pg-simple

Impact

An unlikely SQL injection if the case of an unsanitized table name input.

Patches

The user should upgrade to 6.0.1. Due to its low impact a backport has not been made to the 5.x branch.

Workarounds

If there is no likelihood that the tableName or schemaName options sent to the constructor could be of an unsanitized nature, then no workaround is needed. Else the input could be sanitized and escaped before sending it in. Take note though that such an escaping would need to be removed when upgrading to 6.0.1 or later, to avoid double escaping.

References

• Security issue disclosure

For more information

If you have any questions or comments about this advisory:

• Open an issue in voxpelli/node-connect-pg-simple
• Email maintainer at [email protected]

Permalink: https://github.com/advisories/GHSA-xqh8-5j36-4556
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhxaDgtNWozNi00NTU2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago

CVSS Score: 7.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Percentage: 0.00081
EPSS Percentile: 0.35501

Identifiers: GHSA-xqh8-5j36-4556, CVE-2019-15658
References:

• https://github.com/voxpelli/node-connect-pg-simple/security/advisories/GHSA-xqh8-5j36-4556
• https://nvd.nist.gov/vuln/detail/CVE-2019-15658
• https://github.com/advisories/GHSA-xqh8-5j36-4556
• https://snyk.io/vuln/SNYK-JS-CONNECTPGSIMPLE-460154
• https://www.npmjs.com/advisories/1153

Repository: https://github.com/voxpelli/node-connect-pg-simple
Blast Radius: 23.0

Affected Packages