#postgres

Red Hat Security Advisory 2024-1999-03 - An update for postgresql-jdbc is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

Red Hat Security Advisory 2024-1686-03 - A new image is available for Red Hat Single Sign-On 7.6.7, running on OpenShift Container Platform 3.10 and 3.11, and 4.3. Issues addressed include an information leakage vulnerability.

Red Hat Security Advisory 2024-1662-03 - An update is now available for Red Hat build of Quarkus. Issues addressed include denial of service, information leakage, and memory leak vulnerabilities.

Red Hat Security Advisory 2024-1649-03 - An update for postgresql-jdbc is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

As part of its Secure by Design initiative, CISA urged companies to redouble efforts to quash SQL injection vulnerabilities. Here's how.

The malicious code inserted into the open-source library XZ Utils, a widely used package present in major Linux distributions, is also capable of facilitating remote code execution, a new analysis has revealed. The audacious supply chain compromise, tracked as CVE-2024-3094 (CVSS score: 10.0), came to light last week when Microsoft engineer and PostgreSQL developer Andres Freund

Details are starting to emerge about a stunning supply chain attack that sent the open source software community reeling.

### Summary A SQL injection vulnerability has been discovered in the the "Add News" functionality due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over accounts and in some cases, even achieve RCE. ### Details The vulnerable field lies in the `authorEmail` field which uses PHP's `FILTER_VALIDATE_EMAIL` filter. This filter is insufficient in protecting against SQL injection attacks and should still be properly escaped. However, in this version of phpMyFAQ (3.2.5), this field is not escaped properly can be used together with other fields to fully exploit the SQL injection vulnerability. ### PoCs 4 PoCs are demonstrated here to illustrate the potential impacts. #### PoC 1 - Postgres Time Based SQLi 1. Login as admin or any user with the rights to view and save news. 2. Navigate to "../phpmyfaq/admin/?action=news", click on "Add news", fill in some data, send and...

Atlassian has released patches for more than two dozen security flaws, including a critical bug impacting Bamboo Data Center and Server that could be exploited without requiring user interaction. Tracked as CVE-2024-1597, the vulnerability carries a CVSS score of 10.0, indicating maximum severity. Described as an SQL injection flaw, it's rooted in a dependency called org.postgresql:

Red Hat Security Advisory 2024-1437-03 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.4 Advanced Update Support.