Miggo Logo

CVE-2019-15658: SQL Injection in connect-pg-simple

7.3

CVSS Score
3.0

Basic Information

EPSS Score
0.42963%
Published
8/26/2019
Updated
1/11/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
connect-pg-simplenpm< 6.0.16.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper sanitization of schemaName and tableName parameters used in SQL queries. Multiple sources reference the quotedTable function as constructing identifiers by wrapping user inputs in double quotes without proper escaping. The Snyk.io report specifically demonstrates how malicious schemaName values could manipulate query structure. The function's direct use of user-provided strings in SQL identifier positions makes it the clear injection vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n unlik*ly SQL inj**tion i* t** **s* o* *n uns*nitiz** t**l* n*m* input. ### P*t***s T** us*r s*oul* up*r*** to `*.*.*`. *u* to its low imp**t * ***kport **s not ***n m*** to t** `*.x` *r*n**. ### Work*roun*s I* t**r* is no lik*li*oo* t

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*nitiz*tion o* s***m*N*m* *n* t**l*N*m* p*r*m*t*rs us** in SQL qu*ri*s. Multipl* sour**s r***r*n** t** `quot**T**l*` *un*tion *s *onstru*tin* i**nti*i*rs *y wr*ppin* us*r inputs in *ou*l* quot*s wit*out prop*r *