CVE-2022-35942

loopback-connector-postgresql Vulnerable to Improper Sanitization of `contains` Filter

Severity Score

10.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. A patch was released in version 5.5.1. This affects users who does any of the following: - Connect to the database via the DataSource with `allowExtendedProperties: true` setting OR - Uses the connector's CRUD methods directly OR - Uses the connector's other methods to interpret the LoopBack filter. Users who are unable to upgrade should do the following if applicable: - Remove `allowExtendedProperties: true` DataSource setting - Add `allowExtendedProperties: false` DataSource setting - When passing directly to the connector functions, manually sanitize the user input for the `contains` LoopBack filter beforehand.

Una comprobación de entrada inapropiada en el filtro "contains" de LoopBack puede permitir la inyección arbitraria de SQL. Cuando es permitido que la propiedad del filtro extendido "contains" sea interpretada por el conector Postgres, es posible inyectar SQL arbitrario que puede afectar a la confidencialidad e integridad de los datos almacenados en la base de datos conectada. Ha sido publicado un parche en versión 5.5.1. Esto afecta a usuarios que realicen cualquiera de las siguientes acciones - Son conectados a la base de datos por medio del DataSource con el ajuste "allowExtendedProperties: true" O - Usan los métodos CRUD del conector directamente O - Usan otros métodos del conector para interpretar el filtro LoopBack. Los usuarios que no puedan actualizarse deberán hacer lo siguiente, si procede: - Eliminar el parámetro "allowExtendedProperties: true" de la fuente de datos - Añadir el parámetro "allowExtendedProperties: false" de la fuente de datos - Cuando pase directamente a las funciones del conector, sanee manualmente la entrada del usuario para el filtro "contains" LoopBack de antemano.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-15 CVE Reserved
2022-08-12 CVE Published
2024-03-04 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CAPEC

References (2)

URL	Tag	Source
https://github.com/loopbackio/loopback-connector-postgresql/security/advisories/GHSA-j259-6c58-9m58	Mitigation

URL	Date	SRC

URL	Date	SRC
https://github.com/loopbackio/loopback-connector-postgresql/commit/d57406c6737692a3a106b58a35406290cddb23e5	2022-08-16

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linuxfoundation Search vendor "Linuxfoundation"		Loopback-connector-postgresql Search vendor "Linuxfoundation" for product "Loopback-connector-postgresql"				< 5.5.1 Search vendor "Linuxfoundation" for product "Loopback-connector-postgresql" and version " < 5.5.1"		node.js		Affected