CVE-2019-10757
SQL Injection vulnerability in knex

What is CVE-2019-10757 About?

knex.js versions before 0.19.5 are vulnerable to SQL Injection in the MSSQL dialect due to incorrect identifier escaping. This allows attackers to craft malicious queries, potentially leading to unauthorized data access, modification, or even compromise of the underlying database. Exploitation is relatively straightforward for an attacker who can control input to vulnerable query parts.

Affected Software

Technical Details

The vulnerability lies in the `knex.js` query builder, specifically within its MSSQL dialect implementation in versions prior to 0.19.5. When identifiers (such as table names, column names) are used in SQL queries built by `knex.js`, they are supposed to be properly escaped to prevent them from being interpreted as executable SQL code. However, the MSSQL dialect in the affected versions fails to appropriately escape these identifiers. An attacker can craft input that, when used as an identifier in a `knex.js` query, breaks out of the intended identifier context and injects arbitrary SQL. For example, if an application constructs a query like `SELECT * FROM [users] WHERE [column] = '...'`, and an attacker can control the 'column' identifier, they might inject something like `'column]; DROP TABLE users; --` which, if improperly escaped, could alter the intended query to execute malicious commands against the database. This allows for classic SQL Injection attacks.

What is the Impact of CVE-2019-10757?

Successful exploitation may allow attackers to execute arbitrary SQL commands on the underlying database, leading to unauthorized data access, modification, deletion, or complete database compromise.

What is the Exploitability of CVE-2019-10757?

Exploitation of this SQL Injection vulnerability requires an attacker to be able to supply malicious input that is subsequently used as an identifier in an `knex.js` query targeting an MSSQL database. No authentication is required for the attacker to supply this input if the application exposes vulnerable query parameters to unauthenticated users. The attack is remote. The complexity is moderate, as it requires crafting specific SQL injection payloads that leverage the incorrect identifier escaping. The prerequisites include the application using `knex.js` with the MSSQL dialect in an affected version, and accepting untrusted input in parts of the query that get treated as identifiers. Risk factors include publicly exposed endpoints that accept search queries or sorting parameters that directly translate to identifiers without proper sanitization by `knex.js`.

What are the Known Public Exploits?

What are the Available Fixes for CVE-2019-10757?

Available Upgrade Options

• knex
  • <0.19.5 → Upgrade to 0.19.5

Additional Resources

• https://nvd.nist.gov/vuln/detail/CVE-2019-10757
• https://snyk.io/vuln/SNYK-JS-KNEX-471962
• https://osv.dev/vulnerability/GHSA-58v4-qwx5-7f59
• https://snyk.io/vuln/SNYK-JS-KNEX-471962

What are Similar Vulnerabilities to CVE-2019-10757?

Similar Vulnerabilities: CVE-2019-10747 , CVE-2020-7667 , CVE-2021-23368 , CVE-2022-21696 , CVE-2023-45136