Lucene search

GitHub Advisory DatabaseGHSA-4JV9-3563-23J3

HistoryDec 19, 2022 - 9:30 a.m.

Knex.js has a limited SQL injection vulnerability

2022-12-1909:30:23

CWE-89

GitHub Advisory Database

github.com

knex.js

sql injection

vulnerability fix

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

50.9%

JSON

Knex Knex.js through 2.3.0 has a limited SQL injection vulnerability that can be exploited to ignore the WHERE clause of a SQL query. This vulnerability has been fixed in version 2.4.0.

Affected configurations

Vulners

Node

knexjsknexRange<2.4.0node.js

CPENameOperatorVersion
knexlt2.4.0

CPE	Name	Operator	Version
	knex	lt	2.4.0

References

github.com/advisories/GHSA-4jv9-3563-23j3

github.com/knex/knex/commit/e145322da92749be7749f9ade5b5f5a66d6586a4

github.com/knex/knex/issues/1227

github.com/knex/knex/pull/5417

github.com/knex/knex/releases/tag/2.4.0

nvd.nist.gov/vuln/detail/CVE-2016-20018

www.ghostccamm.com/blog/knex_sqli/

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

50.9%

JSON

Related for GHSA-4JV9-3563-23J3