Skip to content

pg-promise-4.8.1.tgz: 1 vulnerabilities (highest severity is: 9.8) reachable #27

New issue
New issue
Open
Open
pg-promise-4.8.1.tgz: 1 vulnerabilities (highest severity is: 9.8) reachable#27
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@dev-mend-for-github-com

Description

@dev-mend-for-github-com
dev-mend-for-github-com
bot
opened on Jan 20, 2025
Vulnerable Library - pg-promise-4.8.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pg/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (pg-promise version) Remediation Possible** Reachability
CVE-2017-16082 Critical 9.8 pg-5.1.0.tgz Transitive 6.0.0

Reachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2017-16082

Vulnerable Library - pg-5.1.0.tgz

PostgreSQL client - pure javascript & libpq with the same API

Library home page: https://registry.npmjs.org/pg/-/pg-5.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/pg/package.json

Dependency Hierarchy:

  • pg-promise-4.8.1.tgz (Root Library)
    • pg-5.1.0.tgz (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

vulnerable-node-source-0.0.0/model/init_db.js (Application)
  -> pg-promise-4.8.1/lib/index.js (Extension)
   -> pg-5.1.0/lib/index.js (Extension)
    -> pg-5.1.0/lib/client.js (Extension)
     -> pg-5.1.0/lib/query.js (Extension)
      -> ❌ pg-5.1.0/lib/result.js (Vulnerable Component)

Vulnerability Details

A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious.

Publish Date: 2018-04-26

URL: CVE-2017-16082

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/521/versions

Release Date: 2018-06-07

Fix Resolution (pg): 6.0.5

Direct dependency fix Resolution (pg-promise): 6.0.0

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions