cvelist/2017/16xxx/CVE-2017-16082.json
2018-06-06 22:03:06 -04:00

69 lines
2.3 KiB
JSON

{
"CVE_data_meta" : {
"ASSIGNER" : "support@hackerone.com",
"DATE_PUBLIC" : "2018-04-26T00:00:00",
"ID" : "CVE-2017-16082",
"STATE" : "PUBLIC"
},
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "pg node module",
"version" : {
"version_data" : [
{
"version_value" : "< 2.11.2 || >= 3.0.0 < 3.6.4 || >= 4.0.0 < 4.5.7 || >= 5.0.0 < 5.2.1 || >= 6.0.0 < 6.0.5 || >= 6.1.0 < 6.1.6 || >= 6.2.0 < 6.2.5 || >= 6.3.0 < 6.3.3 || >= 6.4.0 < 6.4.2 || >= 7.0.0 < 7.0.2 || >= 7.1.0 < 7.1.2"
}
]
}
}
]
},
"vendor_name" : "HackerOne"
}
]
}
},
"data_format" : "MITRE",
"data_type" : "CVE",
"data_version" : "4.0",
"description" : {
"description_data" : [
{
"lang" : "eng",
"value" : "A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious."
}
]
},
"problemtype" : {
"problemtype_data" : [
{
"description" : [
{
"lang" : "eng",
"value" : "Code Injection (CWE-94)"
}
]
}
]
},
"references" : {
"reference_data" : [
{
"name" : "https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerability",
"refsource" : "MISC",
"url" : "https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerability"
},
{
"name" : "https://nodesecurity.io/advisories/521",
"refsource" : "MISC",
"url" : "https://nodesecurity.io/advisories/521"
}
]
}
}