8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-7xw4-g7mm-r4hh

GHSA-7xw4-g7mm-r4hh: Amazon Web Services Advanced JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance

Description of Vulnerability:

An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users.

AWS recommends for customers to upgrade to the following versions: AWS JDBC Wrapper to v2.6.5 or greater.

Source of Vulnerability Report:

Allistair Ishmael Hakim allistair.hakim@gmail.com

Affected products & versions:

AWS JDBC Wrapper < 2.6.5

Platforms:

MacOS/Windows/Linux

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-7xw4-g7mm-r4hh

GHSA-7xw4-g7mm-r4hh:

8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
software.amazon.jdbc:aws-advanced-jdbc-wrapper	maven	<= 2.6.4	2.6.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a privilege escalation issue in the AWS Advanced JDBC Wrapper when used with Amazon Aurora PostgreSQL. It stems from the use of unqualified function names in SQL queries sent by the wrapper to the database. An authenticated low-privilege attacker can create a malicious function with the same name as a system function (e.g., aurora_db_instance_identifier). When the JDBC wrapper executes a query using this function name without specifying the schema (pg_catalog), the database may execute the attacker's function instead of the intended one. This leads to the execution of arbitrary code with the privileges of the application's database user. The patch fixes this by adding the pg_catalog schema qualifier to all PostgreSQL internal function calls in the JDBC wrapper's dialect files, ensuring that the correct, trusted functions are always executed. The identified vulnerable functions are part of the database dialect implementation and are responsible for generating or executing these unsafe queries.

Vulnerable functions

software.amazon.jdbc.dialect.PgDialect.getHostAliasQuery

wrapper/src/main/java/software/amazon/jdbc/dialect/PgDialect.java

The function returns a SQL query string that uses the `CONCAT` and `inet_server_addr` functions without schema qualification. An attacker with CREATE FUNCTION privileges could define a malicious function with the same name in their own schema, which would be executed with the privileges of the application user.

software.amazon.jdbc.dialect.PgDialect.getServerVersionQuery

wrapper/src/main/java/software/amazon/jdbc/dialect/PgDialect.java

The function returns a SQL query string that uses the `VERSION()` function without schema qualification, making it vulnerable to a search_path attack.

software.amazon.jdbc.dialect.PgDialect.isDialect

wrapper/src/main/java/software/amazon/jdbc/dialect/PgDialect.java

This function executes a query against `pg_proc` without schema qualification. An attacker could create a table named `pg_proc` in a different schema to interfere with the dialect detection logic.

software.amazon.jdbc.dialect.AuroraPgDialect.getTopology

wrapper/src/main/java/software/amazon/jdbc/dialect/AuroraPgDialect.java

This function is inferred to use the `TOPOLOGY_QUERY` to get cluster topology information. The original query used `aurora_replica_status()` without schema qualification, allowing an attacker to provide false topology information by creating a malicious function with the same name.

software.amazon.jdbc.dialect.AuroraPgDialect.isWriter

wrapper/src/main/java/software/amazon/jdbc/dialect/AuroraPgDialect.java

This function is inferred to use the `IS_WRITER_QUERY` to determine if the current node is the writer. The query uses `aurora_replica_status()` and `aurora_db_instance_identifier()` without schema qualification, making it vulnerable to a search_path attack.

software.amazon.jdbc.dialect.RdsMultiAzDbClusterPgDialect.isReader

wrapper/src/main/java/software/amazon/jdbc/dialect/RdsMultiAzDbClusterPgDialect.java

This function is inferred to use the `IS_READER_QUERY` to check if the instance is a reader. The original query used `pg_is_in_recovery()` without schema qualification, making it vulnerable to a search_path attack.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-7xw4-g7mm-r4hh: Amazon Web Services Advanced JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance

Description of Vulnerability:

Source of Vulnerability Report:

Affected products & versions:

Platforms:

GHSA-7xw4-g7mm-r4hh:

8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

8

8

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-7xw4-g7mm-r4hh: Amazon Web Services Advanced JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance

Description of Vulnerability:

Source of Vulnerability Report:

Affected products & versions:

Platforms:

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI