Vulnerability Description
A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Node-Postgres | Pg | >= 2.0.0, < 2.11.2 |
Related Weaknesses (CWE)
References
- https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerabilityExploitThird Party Advisory
- https://nodesecurity.io/advisories/521ExploitThird Party Advisory
- https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerabilityExploitThird Party Advisory
- https://nodesecurity.io/advisories/521ExploitThird Party Advisory
FAQ
What is CVE-2017-16082?
CVE-2017-16082 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely...
How severe is CVE-2017-16082?
CVE-2017-16082 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-16082?
Check the references section above for vendor advisories and patch information. Affected products include: Node-Postgres Pg.