pw_pgsql_connect function does not properly sanitize SQL queries, leading to SQLi via the
pgsql config file.
No CVE assigned
Development version - master branch (Feb 20, 2020)
pw_pgsql_connect(SQLi via config file)
Two different bugs have been detected:
pw_pgsql_escape_conninfo_for the case '\' here. The current code snippet is re-introducing the single-quote.
snprintffunction is called with non-escaped strings (
pw), instead of using escaped strings (
escaped_pw) here. As a result,
conninfostring is not being properly sanitized and it is possible to inject SQL code into this query.
This issue may lead to a local SQLi via
pqsql config file.
This report is subject to our coordinated disclosure policy.
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
You can contact the GHSL team at
email@example.com, please include the
GHSL-2020-031 in any communication regarding this issue.