Security
Headlines

Headlines Latest CVEs

Headline

CVE-2014-125064: Added SQL injection check. · elgs/gosqljson@2740b33

A vulnerability, which was classified as critical, has been found in elgs gosqljson. This issue affects the function QueryDbToArray/QueryDbToMap/ExecDb of the file gosqljson.go. The manipulation of the argument sqlStatement leads to sql injection. The name of the patch is 2740b331546cb88eb61771df4c07d389e9f0363a. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217631.

2 years ago

#sql #vulnerability #js

@@ -26,6 +26,9 @@ func QueryDbToArray(db *sql.DB, toLower bool, sqlStatement string, sqlParams …

fmt.Println(err)

}

}()

SqlSafe(&sqlStatement)

var results [][]string

if strings.HasPrefix(strings.ToUpper(sqlStatement), “SELECT”) {

rows, err := db.Query(sqlStatement, sqlParams…)

@@ -73,6 +76,8 @@ func QueryDbToMap(db *sql.DB, toLower bool, sqlStatement string, sqlParams …in

}

}()

SqlSafe(&sqlStatement)

var results []map[string]string

if strings.HasPrefix(strings.ToUpper(sqlStatement), "SELECT ") {

rows, err := db.Query(sqlStatement, sqlParams…)

@@ -124,6 +129,8 @@ func ExecDb(db *sql.DB, sqlStatement string, sqlParams …interface{}) (int64, e

}

}()

SqlSafe(&sqlStatement)

sqlUpper := strings.ToUpper(sqlStatement)

if strings.HasPrefix(sqlUpper, "UPDATE ") ||

strings.HasPrefix(sqlUpper, "INSERT ") ||

@@ -137,3 +144,8 @@ func ExecDb(db *sql.DB, sqlStatement string, sqlParams …interface{}) (int64, e

}

return 0, errors.New(fmt.Sprint("Invalid SQL:", sqlStatement))

}

func SqlSafe(s *string) {

*s = strings.Replace(*s, "’", "’’", -1)

*s = strings.Replace(*s, "–", "", -1)

}

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

1 year ago

1 year ago

1 year ago

1 year ago

1 year ago