GSD-2022-35942

Vulnerability from gsd - Updated: 2023-12-13 01:19
Details
Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. A patch was released in version 5.5.1. This affects users who does any of the following: - Connect to the database via the DataSource with `allowExtendedProperties: true` setting OR - Uses the connector's CRUD methods directly OR - Uses the connector's other methods to interpret the LoopBack filter. Users who are unable to upgrade should do the following if applicable: - Remove `allowExtendedProperties: true` DataSource setting - Add `allowExtendedProperties: false` DataSource setting - When passing directly to the connector functions, manually sanitize the user input for the `contains` LoopBack filter beforehand.
Aliases
Aliases
CVE-2022-35942
To clipboard 

{
  "GSD": {
    "alias": "CVE-2022-35942",
    "description": "Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. A patch was released in version 5.5.1. This affects users who does any of the following: - Connect to the database via the DataSource with `allowExtendedProperties: true` setting OR - Uses the connector\u0027s CRUD methods directly OR - Uses the connector\u0027s other methods to interpret the LoopBack filter. Users who are unable to upgrade should do the following if applicable: - Remove `allowExtendedProperties: true` DataSource setting - Add `allowExtendedProperties: false` DataSource setting - When passing directly to the connector functions, manually sanitize the user input for the `contains` LoopBack filter beforehand.",
    "id": "GSD-2022-35942"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-35942"
      ],
      "details": "Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. A patch was released in version 5.5.1. This affects users who does any of the following: - Connect to the database via the DataSource with `allowExtendedProperties: true` setting OR - Uses the connector\u0027s CRUD methods directly OR - Uses the connector\u0027s other methods to interpret the LoopBack filter. Users who are unable to upgrade should do the following if applicable: - Remove `allowExtendedProperties: true` DataSource setting - Add `allowExtendedProperties: false` DataSource setting - When passing directly to the connector functions, manually sanitize the user input for the `contains` LoopBack filter beforehand.",
      "id": "GSD-2022-35942",
      "modified": "2023-12-13T01:19:33.700695Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-35942",
        "STATE": "PUBLIC",
        "TITLE": "loopback-connector-postgresql Vulnerable to Improper Sanitization of `contains` Filter"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "loopback-connector-postgresql",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 5.5.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "loopbackio"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. A patch was released in version 5.5.1. This affects users who does any of the following: - Connect to the database via the DataSource with `allowExtendedProperties: true` setting OR - Uses the connector\u0027s CRUD methods directly OR - Uses the connector\u0027s other methods to interpret the LoopBack filter. Users who are unable to upgrade should do the following if applicable: - Remove `allowExtendedProperties: true` DataSource setting - Add `allowExtendedProperties: false` DataSource setting - When passing directly to the connector functions, manually sanitize the user input for the `contains` LoopBack filter beforehand."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/loopbackio/loopback-connector-postgresql/security/advisories/GHSA-j259-6c58-9m58",
            "refsource": "CONFIRM",
            "url": "https://github.com/loopbackio/loopback-connector-postgresql/security/advisories/GHSA-j259-6c58-9m58"
          },
          {
            "name": "https://github.com/loopbackio/loopback-connector-postgresql/commit/d57406c6737692a3a106b58a35406290cddb23e5",
            "refsource": "MISC",
            "url": "https://github.com/loopbackio/loopback-connector-postgresql/commit/d57406c6737692a3a106b58a35406290cddb23e5"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-j259-6c58-9m58",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c5.5.1",
          "affected_versions": "All versions before 5.5.1",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-89",
            "CWE-937"
          ],
          "date": "2022-08-16",
          "description": "Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. A patch was released in version 5.5.1. This affects users who does any of the following: - Connect to the database via the DataSource with `allowExtendedProperties: true` setting OR - Uses the connector\u0027s CRUD methods directly OR - Uses the connector\u0027s other methods to interpret the LoopBack filter. Users who are unable to upgrade should do the following if applicable: - Remove `allowExtendedProperties: true` DataSource setting - Add `allowExtendedProperties: false` DataSource setting - When passing directly to the connector functions, manually sanitize the user input for the `contains` LoopBack filter beforehand.",
          "fixed_versions": [
            "5.5.1"
          ],
          "identifier": "CVE-2022-35942",
          "identifiers": [
            "CVE-2022-35942",
            "GHSA-j259-6c58-9m58",
            "GMS-2022-3552"
          ],
          "not_impacted": "All versions starting from 5.5.1",
          "package_slug": "npm/loopback-connector-postgresql",
          "pubdate": "2022-08-12",
          "solution": "Upgrade to version 5.5.1 or above.",
          "title": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-35942",
            "https://github.com/loopbackio/loopback-connector-postgresql/security/advisories/GHSA-j259-6c58-9m58",
            "https://github.com/loopbackio/loopback-connector-postgresql/commit/d57406c6737692a3a106b58a35406290cddb23e5",
            "https://github.com/advisories/GHSA-j259-6c58-9m58"
          ],
          "uuid": "e7ed83e1-0f89-44cd-9564-b6af986ef7e5"
        },
        {
          "affected_range": "\u003c0",
          "affected_versions": "All versions before 5.5.1",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-08-11",
          "description": "Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection.\n\n### Impact\n\nWhen the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database.\n\nThis affects users who does any of the following:\n\n- Connect to the database via the DataSource with `allowExtendedProperties: true` setting OR\n- Uses the connector\u0027s CRUD methods directly OR\n- Uses the connector\u0027s other methods to interpret the LoopBack filter.\n\n### Patches\n\nPatch release `loopback-connector-postgresql@5.5.1` has been published of which resolves this issue.\n\n### Workarounds\n\nUsers who are unable to upgrade should do the following if applicable:\n\n- Remove `allowExtendedProperties: true` DataSource setting\n- Add `allowExtendedProperties: false` DataSource setting\n- When passing directly to the connector functions, manually sanitize the user input for the `contains` LoopBack filter beforehand.\n\n",
          "fixed_versions": [
            "5.5.1"
          ],
          "identifier": "GMS-2022-3552",
          "identifiers": [
            "GHSA-j259-6c58-9m58",
            "GMS-2022-3552",
            "CVE-2022-35942"
          ],
          "not_impacted": "All versions starting from 5.5.1",
          "package_slug": "npm/loopback-connector-postgresql",
          "pubdate": "2022-08-11",
          "solution": "Upgrade to version 5.5.1 or above.",
          "title": "Duplicate of ./npm/loopback-connector-postgresql/CVE-2022-35942.yml",
          "urls": [
            "https://github.com/loopbackio/loopback-connector-postgresql/security/advisories/GHSA-j259-6c58-9m58",
            "https://github.com/loopbackio/loopback-connector-postgresql/commit/d57406c6737692a3a106b58a35406290cddb23e5",
            "https://github.com/advisories/GHSA-j259-6c58-9m58"
          ],
          "uuid": "769d4f8d-0de4-458b-8c0c-63403b101084"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:linuxfoundation:loopback-connector-postgresql:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.5.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-35942"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. A patch was released in version 5.5.1. This affects users who does any of the following: - Connect to the database via the DataSource with `allowExtendedProperties: true` setting OR - Uses the connector\u0027s CRUD methods directly OR - Uses the connector\u0027s other methods to interpret the LoopBack filter. Users who are unable to upgrade should do the following if applicable: - Remove `allowExtendedProperties: true` DataSource setting - Add `allowExtendedProperties: false` DataSource setting - When passing directly to the connector functions, manually sanitize the user input for the `contains` LoopBack filter beforehand."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-89"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/loopbackio/loopback-connector-postgresql/security/advisories/GHSA-j259-6c58-9m58",
              "refsource": "CONFIRM",
              "tags": [
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "https://github.com/loopbackio/loopback-connector-postgresql/security/advisories/GHSA-j259-6c58-9m58"
            },
            {
              "name": "https://github.com/loopbackio/loopback-connector-postgresql/commit/d57406c6737692a3a106b58a35406290cddb23e5",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/loopbackio/loopback-connector-postgresql/commit/d57406c6737692a3a106b58a35406290cddb23e5"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 6.0
        }
      },
      "lastModifiedDate": "2022-08-16T16:11Z",
      "publishedDate": "2022-08-12T23:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.