Impact
If a database query (such as a SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.
Patches
Yet to be patched.
Workarounds
Most database connector libraries offer a way of safely embedding untrusted data into a query using query parameters or prepared statements.
For NoSQL queries, make use of an operator like MongoDB's $eq
to ensure that untrusted data is interpreted as a literal value and not as a query object.
References
For more information
If you have any questions or comments about this advisory:
Impact
If a database query (such as a SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.
Patches
Yet to be patched.
Workarounds
Most database connector libraries offer a way of safely embedding untrusted data into a query using query parameters or prepared statements.
For NoSQL queries, make use of an operator like MongoDB's
$eq
to ensure that untrusted data is interpreted as a literal value and not as a query object.References
For more information
If you have any questions or comments about this advisory: