Lucene search

GitHub Advisory DatabaseGHSA-QX2J-85Q5-FFP8

HistoryJun 24, 2022 - 12:00 a.m.

Query predicate bypass in Zalando Skipper

2022-06-2400:00:32

GitHub Advisory Database

github.com

zalando skipper

query predicate

bypass

prepared request

security issue

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

33.9%

JSON

In Zalando Skipper before 0.13.218, a query predicate could be bypassed via a prepared request.

Affected configurations

Vulners

Node

zalandoskipperRange<0.13.218

VendorProductVersionCPE
zalandoskipper*cpe:2.3:a:zalando:skipper:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
zalando	skipper	*	cpe:2.3:a:zalando:skipper::::::::

References

github.com/advisories/GHSA-qx2j-85q5-ffp8

github.com/zalando/skipper/commit/998a658ce5a68a336a98f4e63e4371e200860dfc

github.com/zalando/skipper/pull/2028

github.com/zalando/skipper/releases/tag/v0.13.218

nvd.nist.gov/vuln/detail/CVE-2022-34296

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

33.9%

JSON

Related for GHSA-QX2J-85Q5-FFP8