CVE-2023-42454: SQLpage vulnerable to public exposure of database credentials

September 21, 2023

you are using a SQLPage version older than v0.11.1
your SQLPage instance is exposed publicly
the database connection string is specified in the sqlpage/sqlpage.json configuration file (not in an environment variable)
the web_root is the current working directory (the default)
your database is exposed publicly

then an attacker could retrieve the database connection information from SQLPage and use it to connect to your database directly.

References

github.com/advisories/GHSA-v5wf-jg37-r9m5
github.com/lovasoa/SQLpage
github.com/lovasoa/SQLpage/issues/89
github.com/lovasoa/SQLpage/releases/tag/v0.11.1
github.com/lovasoa/SQLpage/security/advisories/GHSA-v5wf-jg37-r9m5
nvd.nist.gov/vuln/detail/CVE-2023-42454

Detect and mitigate CVE-2023-42454 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →