CVE-2023-42454

2023-09-1822:15:47

CWE-200

[email protected]

web.nvd.nist.gov

sqlpage

sql-only webapp builder

cve-2023-42454

security vulnerability

database connection

web security

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.6%

JSON

SQLpage is a SQL-only webapp builder. Someone using SQLpage versions prior to 0.11.1, whose SQLpage instance is exposed publicly, with a database connection string specified in the sqlpage/sqlpage.json configuration file (not in an environment variable), with the web_root is the current working directory (the default), and with their database exposed publicly, is vulnerable to an attacker retrieving database connection information from SQLPage and using it to connect to their database directly. Version 0.11.0 fixes this issue. Some workarounds are available. Using an environment variable instead of the configuration file to specify the database connection string prevents exposing it on vulnerable versions. Using a different web root (that is not a parent of the SQLPage configuration directory) fixes the issue. One should also avoid exposing one’s database publicly.

Affected configurations

Vulners

NVD

Node

lovasoasqlpageRange<0.11.1

VendorProductVersionCPE
lovasoasqlpage*cpe:2.3:a:lovasoa:sqlpage:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
lovasoa	sqlpage	*	cpe:2.3:a:lovasoa:sqlpage::::::::

CNA Affected

[
  {
    "vendor": "lovasoa",
    "product": "SQLpage",
    "versions": [
      {
        "version": "< 0.11.1",
        "status": "affected"
      }
    ]
  }
]