CVE-2022-35942: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
(updated )
Improper input validation on the contains
LoopBack filter may allow for arbitrary SQL injection. When the extended filter property contains
is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. A patch was released in version 5.5.1. This affects users who does any of the following: - Connect to the database via the DataSource with allowExtendedProperties: true
setting OR - Uses the connector’s CRUD methods directly OR - Uses the connector’s other methods to interpret the LoopBack filter. Users who are unable to upgrade should do the following if applicable: - Remove allowExtendedProperties: true
DataSource setting - Add allowExtendedProperties: false
DataSource setting - When passing directly to the connector functions, manually sanitize the user input for the contains
LoopBack filter beforehand.
References
Detect and mitigate CVE-2022-35942 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →