CVE-2022-35942

CVE-2022-35942

Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. A patch was released in version 5.5.1. This affects users who does any of the following: – Connect to the database via the DataSource with `allowExtendedProperties: true` setting OR – Uses the connector’s CRUD methods directly OR – Uses the connector’s other methods to interpret the LoopBack filter. Users who are unable to upgrade should do the following if applicable: – Remove `allowExtendedProperties: true` DataSource setting – Add `allowExtendedProperties: false` DataSource setting – When passing directly to the connector functions, manually sanitize the user input for the `contains` LoopBack filter beforehand.

Source: CVE-2022-35942

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다