CVE-2014-125064: gosqljson SQL Injection vulnerability
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
-
CWE
Published
1/7/2023
Updated
2/9/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/elgs/gosqljson | go | < 0.0.0-20220916234230-750f26ee23c7 | 0.0.0-20220916234230-750f26ee23c7 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- The vulnerability description explicitly names these three functions as affected.
- The commit diff shows SQL injection protection (SqlSafe) was added to all three functions.
- The Go vulnerability report (GO-2023-1494) lists these exact symbols as affected.
- Pre-patch code passed user-controlled sqlStatement directly to database drivers without proper parameterized queries or escaping.
- The patch adds input sanitization specifically to these functions, indicating they were the injection vectors.
- While the CVE was rejected by NVD, the maintainer's own security patch and GitHub advisory confirm the vulnerability.