NPM Audit Report

9 known vulnerabilities | 321 dependencies | November 27th 2018, 1:38:02 pm

high Remote Code Execution

  • Module: pg
  • Published: August 13th 2017
  • Reported by: Sehrope Sarkuni
  • CWE-94
  • CVE-2017-16082
  • Vulnerable: < 2.11.2 || >= 3.0.0 < 3.6.4 || >= 4.0.0 < 4.5.7 || >= 5.0.0 < 5.2.1 || >= 6.0.0 < 6.0.5 || >= 6.1.0 < 6.1.6 || >= 6.2.0 < 6.2.5 || >= 6.3.0 < 6.3.3 || >= 6.4.0 < 6.4.2 || >= 7.0.0 < 7.0.2 || >= 7.1.0 < 7.1.2
  • Patched: >= 2.11.2 < 3.0.0|| >= 3.6.4 < 4.0.0 || >= 4.5.7 < 5.0.0 || >= 5.2.1 < 6.0.0 || >= 6.0.5 < 6.1.0 || >= 6.1.6 < 6.2.0 || >= 6.2.5 < 6.3.0 || >= 6.3.3 < 6.4.0 || >= 6.4.2 < 7.0.0 || >= 7.0.2 < 7.1.0 || >= 7.1.2
  • CVSS: 5

Overview

Affected versions of pg contain a remote code execution vulnerability that occurs when the remote database or query specifies a crafted column name.

There are two specific scenarios in which it is likely for an application to be vulnerable:

  1. The application executes unsafe, user-supplied sql which contains malicious column names.
  2. The application connects to an untrusted database and executes a query returning results which contain a malicious column name.

Proof of Concept

const { Client } = require('pg')
const client = new Client()
client.connect()

const sql = `SELECT 1 AS "\\'/*", 2 AS "\\'*/\n + console.log(process.env)] = null;\n//"`

client.query(sql, (err, res) => {
  client.end()
})

Remediation

  • Version 2.x.x: Update to version 2.11.2 or later.
  • Version 3.x.x: Update to version 3.6.4 or later.
  • Version 4.x.x: Update to version 4.5.7 or later.
  • Version 5.x.x: Update to version 5.2.1 or later.
  • Version 6.x.x: Update to version 6.4.2 or later. ( Note that versions 6.1.6, 6.2.5, and 6.3.3 are also patched. )
  • Version 7.x.x: Update to version 7.1.2 or later. ( Note that version 7.0.2 is also patched. )

References

Node Postgres: Code Execution Vulnerability Announcement

More about this vulnerability

low Prototype Pollution

  • Module: lodash
  • Published: April 24th 2018
  • Reported by: Olivier Arteau (HoLyVieR)
  • CWE-471
  • CVE-2018-3721
  • Vulnerable: <4.17.5
  • Patched: >=4.17.5
  • CVSS: 1

Overview

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Remediation

Update to version 4.17.5 or later.

References

More about this vulnerability