CVE-2016-20018
SQL injection vulnerability in knex (npm)
What is CVE-2016-20018 About?
This vulnerability in Knex.js through version 2.3.0 is a limited SQL injection that allows attackers to bypass the 'WHERE' clause in SQL queries. Its impact is primarily on data integrity and unauthorized data access. Exploitation requires careful crafting of input data but is generally feasible due to the nature of SQL injection.
Affected Software
Technical Details
The vulnerability in Knex.js (versions through 2.3.0) manifests as a limited SQL injection, specifically enabling the bypass of the WHERE clause in SQL queries. This occurs when user-supplied input is not properly sanitized or escaped before being incorporated into a SQL query, particularly in contexts related to query conditions. An attacker can craft malicious input that, when injected, alters the query's logical structure, causing the WHERE clause to be ignored or evaluated in a way that always returns true (e.g., by injecting OR 1=1). This allows the attacker to retrieve or manipulate data across the entire table, bypassing intended row-level access restrictions defined by the WHERE clause.
What is the Impact of CVE-2016-20018?
Successful exploitation may allow attackers to bypass intended data filters, access unauthorized data, modify or delete records they should not have access to, leading to a compromise of data confidentiality and integrity.
What is the Exploitability of CVE-2016-20018?
Exploitation complexity is moderate, as it requires crafting specific malicious input that interacts with how Knex.js constructs SQL queries. No authentication or privileged access beyond what is required to interact with the application’s data query functionality is necessary. The attack is typically remote, as it involves sending malicious data through the application's interface. Prerequisites include an application using a vulnerable version of Knex.js where user input can influence the SQL WHERE clause. Special conditions might involve identifying specific query patterns that are vulnerable. The risk of exploitation is higher in applications that accept untrusted input without robust validation and sanitization, which is then directly or indirectly used in database queries.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-20018?
About the Fix from Resolved Security
This patch modifies the MySQL query compiler to throw an error if an object or array is passed as a value to a where clause, preventing such types in both basic and raw where statements. This mitigates the risk described in CVE-2016-20018, which arises when object or array injection allows attackers to manipulate SQL queries and potentially execute SQL injection via prototype pollution or crafted payloads. By restricting accepted where clause values to scalars, the patch blocks malformed or malicious objects/arrays that could have been exploited for SQL injection attacks.
Available Upgrade Options
- knex
- <2.4.0 → Upgrade to 2.4.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/knex/knex/commit/e145322da92749be7749f9ade5b5f5a66d6586a4
- https://nvd.nist.gov/vuln/detail/CVE-2016-20018
- https://github.com/knex/knex
- https://github.com/knex/knex/pull/5417
- https://osv.dev/vulnerability/GHSA-4jv9-3563-23j3
- https://www.ghostccamm.com/blog/knex_sqli
- https://github.com/knex/knex/issues/1227
- https://github.com/knex/knex/releases/tag/2.4.0
What are Similar Vulnerabilities to CVE-2016-20018?
Similar Vulnerabilities: CVE-2023-38035 , CVE-2023-45802 , CVE-2023-46237 , CVE-2023-46849 , CVE-2023-48795
