10

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-42454

CVE-2023-42454: SQLpage vulnerable to public exposure of database credentials

Impact

you are using a SQLPage version older than v0.11.1
your SQLPage instance is exposed publicly
the database connection string is specified in the sqlpage/sqlpage.json configuration file (not in an environment variable)
the web_root is the current working directory (the default)
your database is exposed publicly

then an attacker could retrieve the database connection information from SQLPage and use it to connect to your database directly.

Patches

Upgrade to v0.11.1 as soon as possible.

Workarounds

If you cannot upgrade immediately:

Using an environment variable instead of the configuration file to specify the database connection string prevents exposing it on vulnerable versions.
Using a different web root (that is not a parent of the SQLPage configuration directory) fixes the issue.
And in any case, you should generally avoid exposing your database publicly

References

https://github.com/lovasoa/SQLpage/issues/89

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-42454

CVE-2023-42454:

10

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
sqlpage	rust	< 0.11.1	0.11.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key factors: 1) Configuration loading from a file in an accessible location, and 2) Web server logic serving that file. The file_server.rs function would be responsible for serving static files from the web root, which in default configuration includes the sqlpage.json file. The configuration.rs function creates the vulnerable condition by storing credentials in a file that becomes web-accessible. Together they create the exposure path, even though the root cause is the insecure file serving capability combined with sensitive file location.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

10

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-42454: SQLpage vulnerable to public exposure of database credentials

Impact

Patches

Workarounds

References

CVE-2023-42454:

10

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-42454: SQLpage vulnerable to public exposure of database credentials

Impact

Patches

Workarounds

References

Technical Details

Basic Information

Basic Information

10

10

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI