Plateforme
nodejs
Composant
pg
Corrigé dans
2.11.2
CVE-2017-16082 is a critical Remote Code Execution (RCE) vulnerability affecting versions of the pg Node.js PostgreSQL client prior to 2.11.2. This vulnerability arises from improper handling of column names within SQL queries, allowing an attacker to potentially execute arbitrary code. The vulnerability impacts applications utilizing the pg client to interact with PostgreSQL databases, particularly when user-supplied data or untrusted database connections are involved. A fix is available in version 2.11.2.
The impact of CVE-2017-16082 is severe. An attacker can exploit this vulnerability by crafting malicious SQL queries containing specially designed column names. These names can be injected through user input or leveraged when connecting to untrusted databases. Successful exploitation allows the attacker to execute arbitrary code on the server hosting the Node.js application, effectively gaining complete control over the system. This could lead to data breaches, system compromise, and further lateral movement within the network. The vulnerability's ease of exploitation and potential for widespread impact make it a significant security concern, reminiscent of other SQL injection vulnerabilities with severe consequences.
CVE-2017-16082 was publicly disclosed on July 24, 2018. A proof-of-concept (PoC) demonstrating the vulnerability's exploitation is publicly available, increasing the risk of widespread attacks. The vulnerability is not currently listed on CISA KEV, but its CRITICAL severity and the availability of a PoC warrant careful attention. There are no confirmed reports of active exploitation campaigns targeting this vulnerability at the time of writing, but the ease of exploitation suggests that it remains a potential threat.
Applications built with Node.js that rely on the pg client to connect to PostgreSQL databases are at risk. This includes web applications, backend services, and any other Node.js application utilizing the pg library. Specifically, applications that accept user-supplied data directly into SQL queries or connect to databases with potentially untrusted configurations are particularly vulnerable.
• nodejs / supply-chain:
npm list pg• nodejs / supply-chain:
npm ls pg --depth=0• generic web:
curl -I 'http://your-node-app.com/query' | grep 'pg version'discovery
disclosure
patch
Statut de l'Exploit
EPSS
70.81% (percentile 99%)
Vecteur CVSS
The primary mitigation for CVE-2017-16082 is to upgrade the pg Node.js client to version 2.11.2 or later. This version includes a fix that properly handles malicious column names. If upgrading immediately is not feasible, consider implementing input validation and sanitization to prevent malicious column names from being included in SQL queries. Additionally, restrict access to the database and carefully review database connection configurations to minimize the risk of connecting to untrusted databases. While a WAF might offer some protection, it's not a substitute for upgrading the client library. There are no specific Sigma or YARA rules readily available for this vulnerability, as detection relies primarily on identifying the vulnerable version of the pg library in use.
Aucun correctif officiel disponible. Recherchez des alternatives ou surveillez les mises à jour.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2017-16082 is a critical Remote Code Execution vulnerability in the pg Node.js PostgreSQL client, allowing attackers to execute arbitrary code through crafted SQL column names.
You are affected if you are using a version of the pg client prior to 2.11.2 and your application is vulnerable to SQL injection or connects to untrusted databases.
Upgrade the pg client to version 2.11.2 or later. Implement input validation and sanitization to prevent malicious column names in SQL queries.
While there are no confirmed reports of active exploitation campaigns, the vulnerability's ease of exploitation and public PoC make it a potential threat.
Refer to the pg GitHub repository for details and updates: https://github.com/brianc/node-pg/issues/917
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.