CVE-2017-16082
Last modified
CVE-2017-16082 is a vulnerability of currently unknown severity. A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. EPSS estimates a 10.51% chance of exploitation in the next 30 days.
Description
A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Node-Postgres | Pg | >= 2.0.0, < 2.11.2 |
| Node-Postgres | Pg | >= 3.0.0, < 3.6.4 |
| Node-Postgres | Pg | >= 4.0.0, < 4.5.7 |
| Node-Postgres | Pg | > 5.0.0, < 5.2.1 |
| Node-Postgres | Pg | >= 6.0.0, < 6.4.2 |
| Node-Postgres | Pg | >= 7.0.0, < 7.1.2 |
References
- https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerabilityExploit, Third Party Advisory
- https://nodesecurity.io/advisories/521Exploit, Third Party Advisory
- https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerabilityExploit, Third Party Advisory
- https://nodesecurity.io/advisories/521Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-16082?
How severe is CVE-2017-16082?
How do I fix CVE-2017-16082?
Are you affected by CVE-2017-16082?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST