CVE-2023-38195: CVE-2023-38195 Security issue when using external (SQL Server or PostgreSQL) metadata storage · Issue #1886 · datalust/seq-tickets

A vulnerability has been found affecting Seq instances that use external (SQL Server or PostgreSQL) metadata storage.

A high level of existing access/privilege is required in order to exploit the vulnerability (a level of infrastructure access normally held by administrative users is required).

Datalust advises that all Seq instances using SQL Server or PostgreSQL metadata storage should be updated to Seq 2023.2.9489 or later.

Affected versions: Seq versions prior to 2023.2.9489 using SQL Server or PostgreSQL metadata storage are affected.
Fix version: 2023.2.9489.
CVE#: CVE-2023-38195

Detecting use of the SQL Server or PostgreSQL metadata store

Seq normally uses a local filesystem-based store for configuration data. In some environments, SQL Server or PostgreSQL may be used instead. External metadata storage requires additional opt-in configuration as well as infrastructure provisioning.

The easiest way to confirm whether SQL Server or PostgreSQL is in use is to download a diagnostic report from Settings > Diagnostics in the Seq UI, and look for either:

Using SQL Metastore           : Yes

or

Using PostgreSQL Metastore    : Yes

in the Server Configuration section.

Otherwise, if a diagnostic report is not available, use of external metadata storage can be detected by the presence of a value in any of the following:

• The metastore.postgres.connectionString or metastore.msSql.connectionString settings, accessed using either seq config get or seq secret get from an Administrative PowerShell prompt (Windows), or
• The metastore.postgres.connectionString or metastore.msSql.connectionString settings, accessed using either seqsvr config get or seqsvr secret get from a shell prompt within the Docker container, or
• The SEQ_METASTORE_POSTGRES_CONNECTIONSTRING or SEQ_METASTORE_MSSQL_CONNECTIONSTRING environment variables (Windows and Docker).