CVE-2017-16082
N/A
N/A
Summary
A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| HackerOne | pg node module | `< 2.11.2 |
Weaknesses
- CWE-94: Code Injection (CWE-94)
ADP Enrichment
CVE Program Container
Additional References
- https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerability
- https://nodesecurity.io/advisories/521
References
- https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerability
- https://nodesecurity.io/advisories/521
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.