Vulnerable Library - pg-promise-4.8.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/pg/package.json
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2017-16082
Vulnerable Library - pg-5.1.0.tgz
PostgreSQL client - pure javascript & libpq with the same API
Library home page: https://registry.npmjs.org/pg/-/pg-5.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/pg/package.json
Dependency Hierarchy:
- pg-promise-4.8.1.tgz (Root Library)
- ❌ pg-5.1.0.tgz (Vulnerable Library)
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
vulnerable-node-source-0.0.0/model/init_db.js (Application)
-> pg-promise-4.8.1/lib/index.js (Extension)
-> pg-5.1.0/lib/index.js (Extension)
-> pg-5.1.0/lib/client.js (Extension)
-> pg-5.1.0/lib/query.js (Extension)
-> ❌ pg-5.1.0/lib/result.js (Vulnerable Component)
Vulnerability Details
A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious.
Publish Date: 2018-04-26
URL: CVE-2017-16082
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/521/versions
Release Date: 2018-06-07
Fix Resolution (pg): 6.0.5
Direct dependency fix Resolution (pg-promise): 6.0.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/pg/package.json
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - pg-5.1.0.tgz
PostgreSQL client - pure javascript & libpq with the same API
Library home page: https://registry.npmjs.org/pg/-/pg-5.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/pg/package.json
Dependency Hierarchy:
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious.
Publish Date: 2018-04-26
URL: CVE-2017-16082
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/521/versions
Release Date: 2018-06-07
Fix Resolution (pg): 6.0.5
Direct dependency fix Resolution (pg-promise): 6.0.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.