An authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped table_name.
async columnList(args: any = {}) {
const func = this.columnList.name;
const result = new Result();
log.api(`${func}:args:`, args);
try {
args.databaseName = this.connectionConfig.connection.database;
const response = await this.sqlClient.raw(
`select *, table_name as tn from information_schema.columns where table_name = '${args.tn}' ORDER by ordinal_position`,
);
The variable ${args.tn} refers to the table name entered by the user. A malicious attacker can escape the existing query by including a special character (') in the table name and insert and execute a new arbitrary SQL query.
This vulnerability may result in leakage of sensitive data in the database.
{ "nvd_published_at": "2024-05-14T14:17:02Z", "cwe_ids": [ "CWE-89" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-05-13T16:46:59Z" }