loopback-connector-postgresql Vulnerable to Improper Sanitization of `contains` Filter
Critical severity
GitHub Reviewed
Published
Aug 9, 2022
in
loopbackio/loopback-connector-postgresql
•
Updated Jan 27, 2023
Description
Published to the GitHub Advisory Database
Aug 11, 2022
Reviewed
Aug 11, 2022
Published by the National Vulnerability Database
Aug 12, 2022
Last updated
Jan 27, 2023
Improper input validation on the
contains
LoopBack filter may allow for arbitrary SQL injection.Impact
When the extended filter property
contains
is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database.This affects users who does any of the following:
allowExtendedProperties: true
setting ORPatches
Patch release
loopback-connector-postgresql@5.5.1
has been published of which resolves this issue.Workarounds
Users who are unable to upgrade should do the following if applicable:
allowExtendedProperties: true
DataSource settingallowExtendedProperties: false
DataSource settingcontains
LoopBack filter beforehand.References