Miggo Logo

CVE-2016-20018: Knex.js has a limited SQL injection vulnerability

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.51549%
Published
12/19/2022
Updated
10/2/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
knexnpm< 2.4.02.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from MySQL query compiler's handling of WHERE clause values. The patch added assertions in these two functions to reject objects/arrays. The commit diff shows these functions were modified to add 'assert' checks against object/array values. Prior to 2.4.0, these validation checks were missing, allowing malicious objects/arrays to be interpreted as SQL expressions rather than parameterized values. The GHSA advisory and test cases confirm these were the entry points for SQL injection via WHERE clause manipulation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Kn*x Kn*x.js t*rou** *.*.* **s * limit** SQL inj**tion vuln*r**ility t**t **n ** *xploit** to i*nor* t** W**R* *l*us* o* * SQL qu*ry. T*is vuln*r**ility **s ***n *ix** in v*rsion *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom MySQL qu*ry *ompil*r's **n*lin* o* W**R* *l*us* v*lu*s. T** p*t** ***** *ss*rtions in t**s* two `*un*tions` to r*j**t o*j**ts/*rr*ys. T** *ommit *i** s*ows t**s* `*un*tions` w*r* mo*i*i** to *** '*ss*rt' ****ks ***inst o*