Headline
CVE-2022-36030: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') and Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') and Improper Neutralizatio
Project-nexus is a general-purpose blog website framework. Affected versions are subject to SQL injection due to a lack of sensitization of user input. This issue has not yet been patched. Users are advised to restrict user input and to upgrade when a new release becomes available.
Impact
If a database query (such as a SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.
Patches
Yet to be patched.
Workarounds
Most database connector libraries offer a way of safely embedding untrusted data into a query using query parameters or prepared statements.
For NoSQL queries, make use of an operator like MongoDB’s $eq to ensure that untrusted data is interpreted as a literal value and not as a query object.
References
- Wikipedia: SQL Injection
- MongoDB: $eq operator
- Common Weakness Enumeration: CWE-89
- Common Weakness Enumeration: CWE-90
- Common Weakness Enumeration: CWE-943
For more information
If you have any questions or comments about this advisory:
- Open an issue in Project Nexus
- Email us at [email protected]