@csoonline.com
//
A high-severity SQL injection vulnerability, identified as CVE-2025-1094, has been discovered in PostgreSQL's psql interactive tool. Rapid7 researchers found that threat actors exploited this zero-day flaw in conjunction with a BeyondTrust vulnerability (CVE-2024-12356) during targeted attacks in December 2024. Specifically, attackers who exploited a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products in December 2024 likely also exploited a previously unknown SQL injection flaw in PostgreSQL.
This vulnerability enables attackers to execute arbitrary SQL commands, potentially leading to OS command execution. The flaw stems from how PostgreSQL handles invalid UTF-8 characters, which allows attackers to inject malicious code via a shortcut command "\!". Rapid7 discovered that successful exploitation of the BeyondTrust vulnerability required exploiting CVE-2025-1094 to achieve remote code execution. Patches have been released for PostgreSQL versions 13 through 17 to address this issue, and users are advised to upgrade their database servers immediately. References :
Classification:
@www.heise.de
//
A critical blind SQL injection vulnerability, identified as CVE-2025-22217, has been discovered in the VMware Avi Load Balancer. This flaw allows attackers with network access to send specially crafted SQL queries, potentially gaining unauthorized access to the underlying database. The vulnerability poses a significant risk, enabling attackers to bypass authentication and directly access sensitive information stored within the database. This access could lead to substantial data breaches and system compromise, making it a major concern for organizations using Avi Load Balancer.
The vulnerability, which scores 8.6 on the CVSS scale, stems from insufficient input validation, allowing for the injection of arbitrary SQL code. Broadcom, the vendor, urges users to apply the necessary patches immediately, as no workarounds are available. The affected versions are primarily within the 30.x range; specifically 30.1.1, 30.1.2, 30.2.1 and 30.2.2 all require patching. It is also important that if you are running 30.1.1 you MUST upgrade to at least 30.1.2 before applying the patch to resolve this issue. Versions 22.x and 21.x are not susceptible to this particular flaw. References :
Classification:
@jocert.ncsc.jo
//
A critical security vulnerability, CVE-2022-31631, has been identified in PHP that could expose websites and applications to SQL injection attacks. The vulnerability resides in the PDO::quote() function when used with SQLite databases. This flaw stems from an integer overflow issue, potentially leading to improper string sanitization. Successful exploitation could allow attackers to inject malicious code, gain control of the database, steal sensitive data, or modify database content.
Users of PHP are urged to update to patched versions immediately. The vulnerability affects PHP versions 8.0.x before 8.0.27, 8.1.x before 8.1.15, and 8.2.x before 8.2.2. Fixed versions include PHP versions 8.0.27, 8.1.15, or 8.2.2 (or later). NetApp has issued an advisory, NTAP-20230223-0007, acknowledging the vulnerability in multiple NetApp products, stating successful exploitation could lead to Denial of Service (DoS). References :
Classification:
|