icon

We found results for “

CVE-2022-35942

Good to know:

icon
icon

Date: August 12, 2022

Improper input validation on the "contains" LoopBack filter may allow for arbitrary SQL injection. When the extended filter property "contains" is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. A patch was released in version 5.5.1. This affects users who does any of the following: - Connect to the database via the DataSource with "allowExtendedProperties: true" setting OR - Uses the connector's CRUD methods directly OR - Uses the connector's other methods to interpret the LoopBack filter. Users who are unable to upgrade should do the following if applicable: - Remove "allowExtendedProperties: true" DataSource setting - Add "allowExtendedProperties: false" DataSource setting - When passing directly to the connector functions, manually sanitize the user input for the "contains" LoopBack filter beforehand.

Language: JS

Severity Score

Severity Score

Weakness Type (CWE)

Improper Input Validation

CWE-20

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

Top Fix

icon

Upgrade Version

Upgrade to version loopback-connector-postgresql - 5.5.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us