Summary
An authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped table_name.
Details
SQL Injection vulnerability occurs in VitessClient.ts.
async columnList(args: any = {}) {
const func = this.columnList.name;
const result = new Result();
log.api(`${func}:args:`, args);
try {
args.databaseName = this.connectionConfig.connection.database;
const response = await this.sqlClient.raw(
`select *, table_name as tn from information_schema.columns where table_name = '${args.tn}' ORDER by ordinal_position`,
);The variable ${args.tn} refers to the table name entered by the user.
A malicious attacker can escape the existing query by including a special character (') in the table name and insert and execute a new arbitrary SQL query.
Impact
This vulnerability may result in leakage of sensitive data in the database.
References
pyozzi-toss Reporter
Summary
An authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped table_name.
Details
SQL Injection vulnerability occurs in VitessClient.ts.
The variable ${args.tn} refers to the table name entered by the user.
A malicious attacker can escape the existing query by including a special character (') in the table name and insert and execute a new arbitrary SQL query.
Impact
This vulnerability may result in leakage of sensitive data in the database.
References