9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2014-125064

GHSA ID

GHSA-g7mw-9pf9-p2pm

EPSS Score

CWE

CWE-89

Published

1/7/2023

Updated

2/9/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2014-125064

CVE-2014-125064: gosqljson SQL Injection vulnerability

A vulnerability, which was classified as critical, has been found in elgs gosqljson. This issue affects the function QueryDbToArray/QueryDbToMap/ExecDb of the file gosqljson.go. The manipulation of the argument sqlStatement leads to sql injection. The name of the patch is 2740b331546cb88eb61771df4c07d389e9f0363a. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217631.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2014-125064

GHSA ID

GHSA-g7mw-9pf9-p2pm

EPSS Score

CWE

CWE-89

Published

1/7/2023

Updated

2/9/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/elgs/gosqljson	go	< 0.0.0-20220916234230-750f26ee23c7	0.0.0-20220916234230-750f26ee23c7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly names these three functions as affected.
The commit diff shows SQL injection protection (SqlSafe) was added to all three functions.
The Go vulnerability report (GO-2023-1494) lists these exact symbols as affected.
Pre-patch code passed user-controlled sqlStatement directly to database drivers without proper parameterized queries or escaping.
The patch adds input sanitization specifically to these functions, indicating they were the injection vectors.
While the CVE was rejected by NVD, the maintainer's own security patch and GitHub advisory confirm the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility, w*i** w*s *l*ssi*i** *s *riti**l, **s ***n *oun* in *l*s *osqljson. T*is issu* *****ts t** *un*tion `Qu*ry**To*rr*y/Qu*ry**ToM*p/*x****` o* t** *il* `*osqljson.*o`. T** m*nipul*tion o* t** *r*um*nt sqlSt*t*m*nt l***s to sql inj**tion

Reasoning

*. T** vuln*r**ility **s*ription *xpli*itly n*m*s t**s* t*r** *un*tions *s *****t**. *. T** *ommit *i** s*ows SQL inj**tion prot**tion (SqlS***) w*s ***** to *ll t*r** *un*tions. *. T** *o vuln*r**ility r*port (*O-****-****) lists t**s* *x**t sym*ols

9.8

Basic Information

Concerned about an active attack path?

CVE-2014-125064: gosqljson SQL Injection vulnerability

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI