CyberSecurity news
FlagThis - #sqlinjection
|
@csoonline.com - 14d
A high-severity SQL injection vulnerability, identified as CVE-2025-1094, has been discovered in PostgreSQL's psql interactive tool. Rapid7 researchers found that threat actors exploited this zero-day flaw in conjunction with a BeyondTrust vulnerability (CVE-2024-12356) during targeted attacks in December 2024. Specifically, attackers who exploited a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products in December 2024 likely also exploited a previously unknown SQL injection flaw in PostgreSQL.
This vulnerability enables attackers to execute arbitrary SQL commands, potentially leading to OS command execution. The flaw stems from how PostgreSQL handles invalid UTF-8 characters, which allows attackers to inject malicious code via a shortcut command "\!". Rapid7 discovered that successful exploitation of the BeyondTrust vulnerability required exploiting CVE-2025-1094 to achieve remote code execution. Patches have been released for PostgreSQL versions 13 through 17 to address this issue, and users are advised to upgrade their database servers immediately. Recommended read:
References :
info@thehackernews.com (The Hacker News)@The Hacker News - 64d
The Apache Software Foundation has issued critical security updates to address severe vulnerabilities affecting several of its products, including MINA, HugeGraph-Server, and Traffic Control. These updates are crucial as the identified flaws could potentially allow attackers to compromise systems. Specifically, a SQL Injection vulnerability was discovered in Apache Traffic Control.
Security teams are being urged to immediately patch the 9.9 severity vulnerability within the web content distribution platform. The identified issues highlight a serious risk of exploitation, and it is essential that organizations using these Apache products prioritize applying the latest security updates to protect their systems from potential cyber attacks. The release of these security fixes underscores the continuous need for vigilance in maintaining secure software infrastructures. Recommended read:
References :
do son@Cybersecurity News - 79d
Apache Superset, a popular open-source data visualization platform, has been patched to address multiple critical security vulnerabilities. These flaws included SQL injection vulnerabilities, allowing attackers to execute malicious SQL queries and potentially access sensitive data, and improper authorization issues, enabling lower-privileged users to create new roles and escalate their privileges when the FAB_ADD_SECURITY_API was enabled. The vulnerabilities were identified in versions prior to 4.1.0 and affect both API endpoints and PostgreSQL functions. Researchers discovered that inadequate query validation checks allowed bypassing security mechanisms. Specific PostgreSQL functions like `query_to_xml`, `query_to_xml_and_xmlschema`, `table_to_xml`, and `table_to_xml_and_xmlschema` were found to be particularly exploitable.
The Apache Software Foundation has released Apache Superset 4.1.0 to address these vulnerabilities, specifically CVE-2024-53947 (SQL injection), CVE-2024-53948 (metadata exposure), and CVE-2024-53949 (authorization bypass). The update includes comprehensive patches and users are urged to upgrade immediately. As a temporary mitigation for CVE-2024-53947, users can manually add the vulnerable PostgreSQL functions to the `DISALLOWED_SQL_FUNCTIONS` configuration setting. For CVE-2024-53949, disabling the `FAB_ADD_SECURITY_API` is recommended if not strictly necessary. The release notes emphasize the importance of this update to protect sensitive data and prevent unauthorized access. Recommended read:
References :
@www.heise.de - 29d
A critical blind SQL injection vulnerability, identified as CVE-2025-22217, has been discovered in the VMware Avi Load Balancer. This flaw allows attackers with network access to send specially crafted SQL queries, potentially gaining unauthorized access to the underlying database. The vulnerability poses a significant risk, enabling attackers to bypass authentication and directly access sensitive information stored within the database. This access could lead to substantial data breaches and system compromise, making it a major concern for organizations using Avi Load Balancer.
The vulnerability, which scores 8.6 on the CVSS scale, stems from insufficient input validation, allowing for the injection of arbitrary SQL code. Broadcom, the vendor, urges users to apply the necessary patches immediately, as no workarounds are available. The affected versions are primarily within the 30.x range; specifically 30.1.1, 30.1.2, 30.2.1 and 30.2.2 all require patching. It is also important that if you are running 30.1.1 you MUST upgrade to at least 30.1.2 before applying the patch to resolve this issue. Versions 22.x and 21.x are not susceptible to this particular flaw. Recommended read:
References :
@jocert.ncsc.jo - 10d
References:
cyble.com
, security.netapp.com
,
A critical security vulnerability, CVE-2022-31631, has been identified in PHP that could expose websites and applications to SQL injection attacks. The vulnerability resides in the PDO::quote() function when used with SQLite databases. This flaw stems from an integer overflow issue, potentially leading to improper string sanitization. Successful exploitation could allow attackers to inject malicious code, gain control of the database, steal sensitive data, or modify database content.
Users of PHP are urged to update to patched versions immediately. The vulnerability affects PHP versions 8.0.x before 8.0.27, 8.1.x before 8.1.15, and 8.2.x before 8.2.2. Fixed versions include PHP versions 8.0.27, 8.1.15, or 8.2.2 (or later). NetApp has issued an advisory, NTAP-20230223-0007, acknowledging the vulnerability in multiple NetApp products, stating successful exploitation could lead to Denial of Service (DoS). Recommended read:
References :
|