CVE-2022-35942 — CRITICAL (9.3)

Q: How severe is CVE-2022-35942?

CVE-2022-35942 has been rated CRITICAL with a CVSS base score of 9.3/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2022-35942?

Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Loopback-Connector-Postgresql.

Vulnerability Description

Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. A patch was released in version 5.5.1. This affects users who does any of the following: - Connect to the database via the DataSource with `allowExtendedProperties: true` setting OR - Uses the connector's CRUD methods directly OR - Uses the connector's other methods to interpret the LoopBack filter. Users who are unable to upgrade should do the following if applicable: - Remove `allowExtendedProperties: true` DataSource setting - Add `allowExtendedProperties: false` DataSource setting - When passing directly to the connector functions, manually sanitize the user input for the `contains` LoopBack filter beforehand.

CVSS Score

9.3

CRITICAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Linuxfoundation	Loopback-Connector-Postgresql	< 5.5.1

Related Weaknesses (CWE)

CWE-89

References

https://github.com/loopbackio/loopback-connector-postgresql/commit/d57406c673769PatchThird Party Advisory
https://github.com/loopbackio/loopback-connector-postgresql/security/advisories/MitigationThird Party Advisory
https://github.com/loopbackio/loopback-connector-postgresql/commit/d57406c673769PatchThird Party Advisory
https://github.com/loopbackio/loopback-connector-postgresql/security/advisories/MitigationThird Party Advisory

FAQ

What is CVE-2022-35942?

CVE-2022-35942 is a vulnerability with a CVSS score of 9.3 (CRITICAL). Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector...

How severe is CVE-2022-35942?

CVE-2022-35942 has been rated CRITICAL with a CVSS base score of 9.3/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-35942?

Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Loopback-Connector-Postgresql.