8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-8wj8-cfxr-9374

GHSA-8wj8-cfxr-9374: AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance

Description of Vulnerability:

An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users.

AWS recommends that customers upgrade to the following version: AWS NodeJS Wrapper to v2.0.1.

Source of Vulnerability Report:

Allistair Ishmael Hakim allistair.hakim@gmail.com

Affected products & versions:

AWS NodeJS Wrapper < 2.0.1.

Platforms:

MacOS/Windows/Linux

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-8wj8-cfxr-9374

GHSA-8wj8-cfxr-9374:

8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
aws-advanced-nodejs-wrapper	npm	< 2.0.1	2.0.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a privilege escalation in the AWS Advanced NodeJS Wrapper for Aurora PostgreSQL, identified as GHSA-8wj8-cfxr-9374. It arises from the use of unqualified function and table names in internal SQL queries sent to the PostgreSQL database. A low-privilege authenticated database user could create crafted functions or tables (e.g., aurora_replica_status, pg_proc, VERSION) in a schema that is in their search path (like public).

When the node.js wrapper executes its internal queries for tasks like topology discovery, health checks, or dialect detection, the PostgreSQL server might resolve these function names to the user's malicious implementations instead of the intended system functions (which are typically in the pg_catalog schema). This allows the attacker's code to be executed with the privileges of the application's database connection, which could be a highly privileged role like rds_superuser, leading to a full database compromise.

The patch rectifies this by applying schema qualification (pg_catalog.) to all internal function and table references in the SQL queries. This ensures that the correct, trusted system objects are always invoked, mitigating the search path vulnerability.

The identified vulnerable functions are those within the various database dialect classes (PgDatabaseDialect, AuroraPgDatabaseDialect, etc.) that are responsible for constructing these unsafe SQL queries. These functions are called internally by the wrapper during its operation.

Vulnerable functions

PgDatabaseDialect.getHostAliasQuery

pg/lib/dialect/pg_database_dialect.ts

This function constructs a SQL query to get the host alias. It uses unqualified functions `CONCAT`, `inet_server_addr`, and `inet_server_port`. A malicious user could create their own versions of these functions in their search path, which would be executed with the privileges of the application, leading to potential privilege escalation.

PgDatabaseDialect.getServerVersionQuery

pg/lib/dialect/pg_database_dialect.ts

This function constructs a SQL query to get the server version. It uses the unqualified function `VERSION()`. A malicious user could create their own `VERSION()` function to execute arbitrary code.

PgDatabaseDialect.isDialect

pg/lib/dialect/pg_database_dialect.ts

This function checks if the database is a PostgreSQL dialect by querying `pg_proc`. The query does not specify a schema for `pg_proc`. A malicious user could create a `pg_proc` table in their search path, causing the check to behave unexpectedly or allowing the user to influence the dialect detection.

AuroraPgDatabaseDialect internal query methods

pg/lib/dialect/aurora_pg_database_dialect.ts

The `AuroraPgDatabaseDialect` class defines multiple internal SQL queries as static strings (`TOPOLOGY_QUERY`, `HOST_ID_QUERY`, `IS_READER_QUERY`, `IS_WRITER_QUERY`, etc.) that are used by its methods to interact with the database. These queries used unqualified function calls (e.g., `aurora_replica_status()`, `aurora_db_instance_identifier()`, `pg_is_in_recovery()`). This allows a low-privilege user to execute arbitrary code by creating functions with the same names in their search path.

RdsMultiAZClusterPgDatabaseDialect.isReader

pg/lib/dialect/rds_multi_az_pg_database_dialect.ts

This method (inferred from the `IS_READER_QUERY` constant) in the `RdsMultiAZClusterPgDatabaseDialect` class uses an unqualified `pg_is_in_recovery()` function, making it vulnerable to a search path attack. This could cause the wrapper to misidentify the role of a database instance.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-8wj8-cfxr-9374: AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance

Description of Vulnerability:

Source of Vulnerability Report:

Affected products & versions:

Platforms:

GHSA-8wj8-cfxr-9374:

8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

GHSA-8wj8-cfxr-9374: AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance

Description of Vulnerability:

Source of Vulnerability Report:

Affected products & versions:

Platforms:

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

8

8

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI