6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
0.004 Low
EPSS
Percentile
74.9%
An attacker can inject values into a PostgreSQL connection string by providing a parameter surrounded by single quotes.
Depending on how the library is used in the client software, this may allow an attacker to bypass the login process, gain access to the server’s IP address, etc.
The vulnerability is fixed in ADOdb versions 5.20.21 (952de6c4273d9b1e91c2b838044f8c2111150c29) and 5.21.4 or later (b4d5ce70034c5aac3a1d51d317d93c037a0938d2).
The simplest patch is to delete line 29 in drivers/adodb-postgres64.inc.php
:
diff --git a/drivers/adodb-postgres64.inc.php b/drivers/adodb-postgres64.inc.php
index d04b7f67..729d7141 100644
--- a/drivers/adodb-postgres64.inc.php
+++ b/drivers/adodb-postgres64.inc.php
@@ -26,7 +26,6 @@ function adodb_addslashes($s)
{
$len = strlen($s);
if ($len == 0) return "''";
- if (strncmp($s,"'",1) === 0 && substr($s,$len-1) == "'") return $s; // already quoted
return "'".addslashes($s)."'";
}
Ensure the parameters passed to ADOConnection::connect() or related functions (nConnect(), pConnect()) are not surrounded by single quotes.
Thanks to Emmet Leahy (@meme-lord) of Sorcery Ltd for reporting this vulnerability, and to the huntr team for their support.
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
adodb/adodb-php | le | 5.21.3 | |
adodb/adodb-php | le | 5.20.20 |
github.com/ADOdb/ADOdb/commit/952de6c4273d9b1e91c2b838044f8c2111150c29
github.com/ADOdb/ADOdb/commit/b4d5ce70034c5aac3a1d51d317d93c037a0938d2
github.com/ADOdb/ADOdb/issues/793
github.com/ADOdb/ADOdb/security/advisories/GHSA-65mj-7c86-79jf
github.com/advisories/GHSA-65mj-7c86-79jf
huntr.dev/bounties/bdf5f216-4499-4225-a737-b28bc6f5801c
lists.debian.org/debian-lts-announce/2022/02/msg00006.html
nvd.nist.gov/vuln/detail/CVE-2021-3850
www.debian.org/security/2022/dsa-5101
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
0.004 Low
EPSS
Percentile
74.9%