Headline
CVE-2023-22494: Potential SQL Injections
a12nserver is an open source lightweight OAuth2 server. Users of a12nserver that use MySQL might be vulnerable to SQL injection bugs. If you use a12nserver and MySQL, update as soon as possible. This SQL injection bug might let an attacker obtain OAuth2 Access Tokens for users unrelated to those that permitted OAuth2 clients. The knex dependency has been updated to 2.4.0 in a12nserver 0.23.0. There are no known workarounds.
Moderate
evert published GHSA-crhg-xgrg-vvcc
Jan 12, 2023
Package
npm @curveball/a12n-server (npm)
Affected versions
<0.23.0 >0.20.0
Patched versions
0.23.0
Description
Impact
Users of a12nserver that use MySQL might be vulnerable to SQL injection bugs.
If you use a12nserver and MySQL, update as soon as possible. This SQL injection bug might let an attacker obtain OAuth2 Access Tokens for users unrelated to those that permitted OAuth2 clients.
Patches
The knex dependency has been updated to 2.4.0 in a12nserver 0.23.0
Workarounds
No further workarounds
References
- knex/knex#1227
- https://nvd.nist.gov/vuln/detail/CVE-2016-20018
- https://www.ghostccamm.com/blog/knex_sqli/
Severity
Moderate
6.5
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CVE ID
CVE-2023-22494
Weaknesses
CWE-89
Related news
Knex Knex.js through 2.3.0 has a limited SQL injection vulnerability that can be exploited to ignore the WHERE clause of a SQL query.
Knex Knex.js through 2.3.0 has a limited SQL injection vulnerability that can be exploited to ignore the WHERE clause of a SQL query.