CVE-2019-15658
SQL Injection in connect-pg-simple
描述
### Impact An unlikely SQL injection if the case of an unsanitized table name input. ### Patches The user should upgrade to `6.0.1`. Due to its low impact a backport has not been made to the `5.x` branch. ### Workarounds If there is no likelihood that the `tableName` or `schemaName` options sent to the constructor could be of an unsanitized nature, then no workaround is needed. Else the input could be sanitized and escaped before sending it in. Take note though that such an escaping would need to be removed when upgrading to `6.0.1` or later, to avoid double escaping. ### References * [Security issue disclosure](https://github.com/voxpelli/node-connect-pg-simple/issues/151) ### For more information If you have any questions or comments about this advisory: * Open an issue in [voxpelli/node-connect-pg-simple](https://github.com/voxpelli/node-connect-pg-simple) * Email maintainer at [[email protected]](mailto:[email protected])
如何修補 CVE-2019-15658
要修補 CVE-2019-15658,請將受影響套件升級到下列已修補版本。
- —升級至 6.0.1 或更新版本
CVE-2019-15658 正在被利用嗎?
低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 6.0.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |