Headline
CVE-2023-22626: Information Disclosure Through EXPLAIN Feature · Issue #439 · ankane/pghero
PgHero before 3.1.0 allows Information Disclosure via EXPLAIN because query results may be present in an error message. (Depending on database user privileges, this may only be information from the database, or may be information from file contents on the database server.)
PgHero can expose data to users through the EXPLAIN feature. This vulnerability has been assigned the CVE identifier CVE-2023-22626.
Versions Affected: 0.1.1 to 3.0.1
Fixed Versions: 3.1.0
Impact
A malicious PgHero user can use the EXPLAIN functionality to extract data from the database. With certain inputs, a user can get the results of a query to appear in an error message. If the PgHero database user has superuser privileges (not recommended), the user can use file access functions to read files on the database server.
Mitigation
All users running an affected version should upgrade when possible.
See #438 for related EXPLAIN security considerations and changes in this release.
Credit
Thanks to Seryun Ham of https://horangi.com (blog) for reporting this.
Related news
PgHero before 3.1.0 allows Information Disclosure via EXPLAIN because query results may be present in an error message. (Depending on database user privileges, this may only be information from the database, or may be information from file contents on the database server.)