Lucene search

RubySecRUBY:PGHERO-2023-22626

HistoryJan 03, 2023 - 9:00 p.m.

Information Disclosure Through EXPLAIN Feature

2023-01-0321:00:00

RubySec

github.com

information disclosure

pghero

explain feature

database security

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

JSON

A malicious PgHero user can use the EXPLAIN functionality to extract data from
the database. With certain inputs, a user can get the results of a query to
appear in an error message. If the PgHero database user has superuser privileges
(not recommended), the user can use file access functions to read files on the
database server.

Affected configurations

Vulners

Node

rubypgheroRange≤3.1.0

VendorProductVersionCPE
rubypghero*cpe:2.3:a:ruby:pghero:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	pghero	*	cpe:2.3:a:ruby:pghero::::::::

References

github.com/ankane/pghero/issues/439

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

JSON

Related for RUBY:PGHERO-2023-22626