7.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-15658

GHSA ID

GHSA-xqh8-5j36-4556

EPSS Score

0.42963%

CWE

CWE-89

Published

8/26/2019

Updated

1/11/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-15658

CVE-2019-15658: SQL Injection in connect-pg-simple

Impact

An unlikely SQL injection if the case of an unsanitized table name input.

Patches

The user should upgrade to 6.0.1. Due to its low impact a backport has not been made to the 5.x branch.

Workarounds

If there is no likelihood that the tableName or schemaName options sent to the constructor could be of an unsanitized nature, then no workaround is needed. Else the input could be sanitized and escaped before sending it in. Take note though that such an escaping would need to be removed when upgrading to 6.0.1 or later, to avoid double escaping.

References

Security issue disclosure

For more information

If you have any questions or comments about this advisory:

Open an issue in voxpelli/node-connect-pg-simple
Email maintainer at pelle@kodfabrik.se

(GitHub Advisory)

7.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-15658

GHSA ID

GHSA-xqh8-5j36-4556

EPSS Score

0.42963%

CWE

CWE-89

Published

8/26/2019

Updated

1/11/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
connect-pg-simple	npm	< 6.0.1	6.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper sanitization of schemaName and tableName parameters used in SQL queries. Multiple sources reference the quotedTable function as constructing identifiers by wrapping user inputs in double quotes without proper escaping. The Snyk.io report specifically demonstrates how malicious schemaName values could manipulate query structure. The function's direct use of user-provided strings in SQL identifier positions makes it the clear injection vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n unlik*ly SQL inj**tion i* t** **s* o* *n uns*nitiz** t**l* n*m* input. ### P*t***s T** us*r s*oul* up*r*** to `*.*.*`. *u* to its low imp**t * ***kport **s not ***n m*** to t** `*.x` *r*n**. ### Work*roun*s I* t**r* is no lik*li*oo* t

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*nitiz*tion o* s***m*N*m* *n* t**l*N*m* p*r*m*t*rs us** in SQL qu*ri*s. Multipl* sour**s r***r*n** t** `quot**T**l*` *un*tion *s *onstru*tin* i**nti*i*rs *y wr*ppin* us*r inputs in *ou*l* quot*s wit*out prop*r *

7.3

Basic Information

Concerned about an active attack path?

CVE-2019-15658: SQL Injection in connect-pg-simple

Impact

Patches

Workarounds

References

For more information

7.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI