Vulnerability-Lookup

CVE-2020-4035 (GCVE-0-2020-4035)

Vulnerability from cvelistv5 – Published: 2020-06-03 16:50 – Updated: 2024-08-04 07:52

Title

DoS or local data modification via malicious record IDs in WatermelonDB

Summary

In WatermelonDB (NPM package "@nozbe/watermelondb") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to become unusable. This may happen in apps that don't validate IDs (valid IDs are `/^[a-zA-Z0-9_-.]+$/`) and use Watermelon Sync or low-level `database.adapter.destroyDeletedRecords` method. The integrity risk is low due to the fact that maliciously deleted records won't synchronize, so logout-login will restore all data, although some local changes may be lost if the malicious deletion causes the sync process to fail to proceed to push stage. No way to breach confidentiality with this vulnerability is known. Full exploitation of SQL Injection is mitigated, because it's not possible to nest an insert/update query inside a delete query in SQLite, and it's not possible to pass a semicolon-separated second query. There's also no known practicable way to breach confidentiality by selectively deleting records, because those records will not be synchronized. It's theoretically possible that selective record deletion could cause an app to behave insecurely if lack of a record is used to make security decisions by the app. This is patched in versions 0.15.1, 0.16.2, and 0.16.1-fix

Severity ?

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/Nozbe/WatermelonDB/security/ad…	x_refsource_CONFIRM
	https://github.com/Nozbe/WatermelonDB/commit/924c…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Nozbe	WatermelonDB	Affected: < 0.15.1 Affected: >= 0.16.0, < 0.16.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T07:52:20.760Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Nozbe/WatermelonDB/commit/924c7ae2a8d7d6459656751e5b9b1bf91a218025"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "WatermelonDB",
          "vendor": "Nozbe",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.15.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.16.0, \u003c 0.16.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In WatermelonDB (NPM package \"@nozbe/watermelondb\") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to become unusable. This may happen in apps that don\u0027t validate IDs (valid IDs are `/^[a-zA-Z0-9_-.]+$/`) and use Watermelon Sync or low-level `database.adapter.destroyDeletedRecords` method. The integrity risk is low due to the fact that maliciously deleted records won\u0027t synchronize, so logout-login will restore all data, although some local changes may be lost if the malicious deletion causes the sync process to fail to proceed to push stage. No way to breach confidentiality with this vulnerability is known. Full exploitation of SQL Injection is mitigated, because it\u0027s not possible to nest an insert/update query inside a delete query in SQLite, and it\u0027s not possible to pass a semicolon-separated second query. There\u0027s also no known practicable way to breach confidentiality by selectively deleting records, because those records will not be synchronized. It\u0027s theoretically possible that selective record deletion could cause an app to behave insecurely if lack of a record is used to make security decisions by the app. This is patched in versions 0.15.1, 0.16.2, and 0.16.1-fix"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-06-03T16:50:12",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Nozbe/WatermelonDB/commit/924c7ae2a8d7d6459656751e5b9b1bf91a218025"
        }
      ],
      "source": {
        "advisory": "GHSA-38f9-m297-6q9g",
        "discovery": "UNKNOWN"
      },
      "title": "DoS or local data modification via malicious record IDs in WatermelonDB",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-4035",
          "STATE": "PUBLIC",
          "TITLE": "DoS or local data modification via malicious record IDs in WatermelonDB"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "WatermelonDB",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 0.15.1"
                          },
                          {
                            "version_value": "\u003e= 0.16.0, \u003c 0.16.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Nozbe"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In WatermelonDB (NPM package \"@nozbe/watermelondb\") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to become unusable. This may happen in apps that don\u0027t validate IDs (valid IDs are `/^[a-zA-Z0-9_-.]+$/`) and use Watermelon Sync or low-level `database.adapter.destroyDeletedRecords` method. The integrity risk is low due to the fact that maliciously deleted records won\u0027t synchronize, so logout-login will restore all data, although some local changes may be lost if the malicious deletion causes the sync process to fail to proceed to push stage. No way to breach confidentiality with this vulnerability is known. Full exploitation of SQL Injection is mitigated, because it\u0027s not possible to nest an insert/update query inside a delete query in SQLite, and it\u0027s not possible to pass a semicolon-separated second query. There\u0027s also no known practicable way to breach confidentiality by selectively deleting records, because those records will not be synchronized. It\u0027s theoretically possible that selective record deletion could cause an app to behave insecurely if lack of a record is used to make security decisions by the app. This is patched in versions 0.15.1, 0.16.2, and 0.16.1-fix"
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g",
              "refsource": "CONFIRM",
              "url": "https://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g"
            },
            {
              "name": "https://github.com/Nozbe/WatermelonDB/commit/924c7ae2a8d7d6459656751e5b9b1bf91a218025",
              "refsource": "MISC",
              "url": "https://github.com/Nozbe/WatermelonDB/commit/924c7ae2a8d7d6459656751e5b9b1bf91a218025"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-38f9-m297-6q9g",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-4035",
    "datePublished": "2020-06-03T16:50:12",
    "dateReserved": "2019-12-30T00:00:00",
    "dateUpdated": "2024-08-04T07:52:20.760Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nozbe:watermelondb:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.15.1\", \"matchCriteriaId\": \"246C2261-8971-4C09-90AC-15AD5A864A1F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nozbe:watermelondb:0.16.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E9E2E1B2-B5DA-4010-8635-B555309F84C1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nozbe:watermelondb:0.16.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2FF01DBC-C248-40CA-BD58-B75E94D99D3D\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In WatermelonDB (NPM package \\\"@nozbe/watermelondb\\\") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to become unusable. This may happen in apps that don\u0027t validate IDs (valid IDs are `/^[a-zA-Z0-9_-.]+$/`) and use Watermelon Sync or low-level `database.adapter.destroyDeletedRecords` method. The integrity risk is low due to the fact that maliciously deleted records won\u0027t synchronize, so logout-login will restore all data, although some local changes may be lost if the malicious deletion causes the sync process to fail to proceed to push stage. No way to breach confidentiality with this vulnerability is known. Full exploitation of SQL Injection is mitigated, because it\u0027s not possible to nest an insert/update query inside a delete query in SQLite, and it\u0027s not possible to pass a semicolon-separated second query. There\u0027s also no known practicable way to breach confidentiality by selectively deleting records, because those records will not be synchronized. It\u0027s theoretically possible that selective record deletion could cause an app to behave insecurely if lack of a record is used to make security decisions by the app. This is patched in versions 0.15.1, 0.16.2, and 0.16.1-fix\"}, {\"lang\": \"es\", \"value\": \"En WatermelonDB (paquete NPM \\\"@nozbe/watermelondb\\\") versiones anteriores a 0.15.1 y 0.16.2, un ID de registro dise\\u00f1ado con fines maliciosos puede explotar una vulnerabilidad de inyecci\\u00f3n SQL en la implementaci\\u00f3n del adaptador iOS y causar que la aplicaci\\u00f3n elimine todo o registros seleccionados de la base de datos, por lo general, la aplicaci\\u00f3n queda inutilizable. Esto puede suceder en aplicaciones que no comprueban los ID (los ID v\\u00e1lidos son \\\"/^[a-zA-Z0-9_-.]+$/\\\") y usan Watermelon Sync o el m\\u00e9todo \\\"database.adapter.destroyDeletedRecords\\\" de bajo nivel . El riesgo de integridad es bajo debido al hecho de que los registros eliminados maliciosamente no se sincronizar\\u00e1n, por lo que el inicio de sesi\\u00f3n cerrar\\u00e1 todos los datos, aunque algunos cambios locales pueden perderse si la eliminaci\\u00f3n maliciosa causa que el proceso de sincronizaci\\u00f3n no avance a la etapa de inserci\\u00f3n. No se conoce ninguna manera de violar la confidencialidad con esta vulnerabilidad. Una explotaci\\u00f3n completa de la inyecci\\u00f3n SQL se mitiga, porque no es posible anidar una consulta de inserci\\u00f3n/actualizaci\\u00f3n dentro de una consulta de eliminaci\\u00f3n en SQLite, y no es posible pasar una segunda consulta separada por punto y coma. Tampoco se conoce una manera pr\\u00e1ctica de violar la confidencialidad mediante la eliminaci\\u00f3n selectiva de registros, porque esos registros no se sincronizar\\u00e1n. Te\\u00f3ricamente es posible que la eliminaci\\u00f3n de registros selectiva pueda hacer que una aplicaci\\u00f3n se comporte de forma no segura si la falta de un registro para tomar decisiones de seguridad es usada por la aplicaci\\u00f3n. Esto est\\u00e1 parcheado en las versiones 0.15.1, 0.16.2 y 0.16.1-fix\"}]",
      "id": "CVE-2020-4035",
      "lastModified": "2024-11-21T05:32:11.750",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 4.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 4.2}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:N/I:P/A:P\", \"baseScore\": 5.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-06-03T17:15:26.153",
      "references": "[{\"url\": \"https://github.com/Nozbe/WatermelonDB/commit/924c7ae2a8d7d6459656751e5b9b1bf91a218025\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/Nozbe/WatermelonDB/commit/924c7ae2a8d7d6459656751e5b9b1bf91a218025\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-4035\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-06-03T17:15:26.153\",\"lastModified\":\"2024-11-21T05:32:11.750\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In WatermelonDB (NPM package \\\"@nozbe/watermelondb\\\") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to become unusable. This may happen in apps that don\u0027t validate IDs (valid IDs are `/^[a-zA-Z0-9_-.]+$/`) and use Watermelon Sync or low-level `database.adapter.destroyDeletedRecords` method. The integrity risk is low due to the fact that maliciously deleted records won\u0027t synchronize, so logout-login will restore all data, although some local changes may be lost if the malicious deletion causes the sync process to fail to proceed to push stage. No way to breach confidentiality with this vulnerability is known. Full exploitation of SQL Injection is mitigated, because it\u0027s not possible to nest an insert/update query inside a delete query in SQLite, and it\u0027s not possible to pass a semicolon-separated second query. There\u0027s also no known practicable way to breach confidentiality by selectively deleting records, because those records will not be synchronized. It\u0027s theoretically possible that selective record deletion could cause an app to behave insecurely if lack of a record is used to make security decisions by the app. This is patched in versions 0.15.1, 0.16.2, and 0.16.1-fix\"},{\"lang\":\"es\",\"value\":\"En WatermelonDB (paquete NPM \\\"@nozbe/watermelondb\\\") versiones anteriores a 0.15.1 y 0.16.2, un ID de registro dise\u00f1ado con fines maliciosos puede explotar una vulnerabilidad de inyecci\u00f3n SQL en la implementaci\u00f3n del adaptador iOS y causar que la aplicaci\u00f3n elimine todo o registros seleccionados de la base de datos, por lo general, la aplicaci\u00f3n queda inutilizable. Esto puede suceder en aplicaciones que no comprueban los ID (los ID v\u00e1lidos son \\\"/^[a-zA-Z0-9_-.]+$/\\\") y usan Watermelon Sync o el m\u00e9todo \\\"database.adapter.destroyDeletedRecords\\\" de bajo nivel . El riesgo de integridad es bajo debido al hecho de que los registros eliminados maliciosamente no se sincronizar\u00e1n, por lo que el inicio de sesi\u00f3n cerrar\u00e1 todos los datos, aunque algunos cambios locales pueden perderse si la eliminaci\u00f3n maliciosa causa que el proceso de sincronizaci\u00f3n no avance a la etapa de inserci\u00f3n. No se conoce ninguna manera de violar la confidencialidad con esta vulnerabilidad. Una explotaci\u00f3n completa de la inyecci\u00f3n SQL se mitiga, porque no es posible anidar una consulta de inserci\u00f3n/actualizaci\u00f3n dentro de una consulta de eliminaci\u00f3n en SQLite, y no es posible pasar una segunda consulta separada por punto y coma. Tampoco se conoce una manera pr\u00e1ctica de violar la confidencialidad mediante la eliminaci\u00f3n selectiva de registros, porque esos registros no se sincronizar\u00e1n. Te\u00f3ricamente es posible que la eliminaci\u00f3n de registros selectiva pueda hacer que una aplicaci\u00f3n se comporte de forma no segura si la falta de un registro para tomar decisiones de seguridad es usada por la aplicaci\u00f3n. Esto est\u00e1 parcheado en las versiones 0.15.1, 0.16.2 y 0.16.1-fix\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":4.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:P\",\"baseScore\":5.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nozbe:watermelondb:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.15.1\",\"matchCriteriaId\":\"246C2261-8971-4C09-90AC-15AD5A864A1F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nozbe:watermelondb:0.16.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E9E2E1B2-B5DA-4010-8635-B555309F84C1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nozbe:watermelondb:0.16.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2FF01DBC-C248-40CA-BD58-B75E94D99D3D\"}]}]}],\"references\":[{\"url\":\"https://github.com/Nozbe/WatermelonDB/commit/924c7ae2a8d7d6459656751e5b9b1bf91a218025\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/Nozbe/WatermelonDB/commit/924c7ae2a8d7d6459656751e5b9b1bf91a218025\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

FKIE_CVE-2020-4035

Vulnerability from fkie_nvd - Published: 2020-06-03 17:15 - Updated: 2024-11-21 05:32

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/Nozbe/WatermelonDB/commit/924c7ae2a8d7d6459656751e5b9b1bf91a218025	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Nozbe/WatermelonDB/commit/924c7ae2a8d7d6459656751e5b9b1bf91a218025	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g	Third Party Advisory

Impacted products

Vendor	Product	Version
nozbe	watermelondb	*
nozbe	watermelondb	0.16.0
nozbe	watermelondb	0.16.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nozbe:watermelondb:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "246C2261-8971-4C09-90AC-15AD5A864A1F",
              "versionEndExcluding": "0.15.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nozbe:watermelondb:0.16.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E9E2E1B2-B5DA-4010-8635-B555309F84C1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nozbe:watermelondb:0.16.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "2FF01DBC-C248-40CA-BD58-B75E94D99D3D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In WatermelonDB (NPM package \"@nozbe/watermelondb\") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to become unusable. This may happen in apps that don\u0027t validate IDs (valid IDs are `/^[a-zA-Z0-9_-.]+$/`) and use Watermelon Sync or low-level `database.adapter.destroyDeletedRecords` method. The integrity risk is low due to the fact that maliciously deleted records won\u0027t synchronize, so logout-login will restore all data, although some local changes may be lost if the malicious deletion causes the sync process to fail to proceed to push stage. No way to breach confidentiality with this vulnerability is known. Full exploitation of SQL Injection is mitigated, because it\u0027s not possible to nest an insert/update query inside a delete query in SQLite, and it\u0027s not possible to pass a semicolon-separated second query. There\u0027s also no known practicable way to breach confidentiality by selectively deleting records, because those records will not be synchronized. It\u0027s theoretically possible that selective record deletion could cause an app to behave insecurely if lack of a record is used to make security decisions by the app. This is patched in versions 0.15.1, 0.16.2, and 0.16.1-fix"
    },
    {
      "lang": "es",
      "value": "En WatermelonDB (paquete NPM \"@nozbe/watermelondb\") versiones anteriores a 0.15.1 y 0.16.2, un ID de registro dise\u00f1ado con fines maliciosos puede explotar una vulnerabilidad de inyecci\u00f3n SQL en la implementaci\u00f3n del adaptador iOS y causar que la aplicaci\u00f3n elimine todo o registros seleccionados de la base de datos, por lo general, la aplicaci\u00f3n queda inutilizable. Esto puede suceder en aplicaciones que no comprueban los ID (los ID v\u00e1lidos son \"/^[a-zA-Z0-9_-.]+$/\") y usan Watermelon Sync o el m\u00e9todo \"database.adapter.destroyDeletedRecords\" de bajo nivel . El riesgo de integridad es bajo debido al hecho de que los registros eliminados maliciosamente no se sincronizar\u00e1n, por lo que el inicio de sesi\u00f3n cerrar\u00e1 todos los datos, aunque algunos cambios locales pueden perderse si la eliminaci\u00f3n maliciosa causa que el proceso de sincronizaci\u00f3n no avance a la etapa de inserci\u00f3n. No se conoce ninguna manera de violar la confidencialidad con esta vulnerabilidad. Una explotaci\u00f3n completa de la inyecci\u00f3n SQL se mitiga, porque no es posible anidar una consulta de inserci\u00f3n/actualizaci\u00f3n dentro de una consulta de eliminaci\u00f3n en SQLite, y no es posible pasar una segunda consulta separada por punto y coma. Tampoco se conoce una manera pr\u00e1ctica de violar la confidencialidad mediante la eliminaci\u00f3n selectiva de registros, porque esos registros no se sincronizar\u00e1n. Te\u00f3ricamente es posible que la eliminaci\u00f3n de registros selectiva pueda hacer que una aplicaci\u00f3n se comporte de forma no segura si la falta de un registro para tomar decisiones de seguridad es usada por la aplicaci\u00f3n. Esto est\u00e1 parcheado en las versiones 0.15.1, 0.16.2 y 0.16.1-fix"
    }
  ],
  "id": "CVE-2020-4035",
  "lastModified": "2024-11-21T05:32:11.750",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 4.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-06-03T17:15:26.153",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Nozbe/WatermelonDB/commit/924c7ae2a8d7d6459656751e5b9b1bf91a218025"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Nozbe/WatermelonDB/commit/924c7ae2a8d7d6459656751e5b9b1bf91a218025"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-38F9-M297-6Q9G

Vulnerability from github – Published: 2020-06-03 21:57 – Updated: 2021-01-08 20:15

Summary

DoS via malicious record IDs in WatermelonDB

Details

Impact

Medium severity 5.9 https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H

A maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to become unusable.

This may happen in apps that don't validate IDs (valid IDs are /^[a-zA-Z0-9_-.]+$/) and use Watermelon Sync or low-level database.adapter.destroyDeletedRecords method.

The integrity risk is low due to the fact that maliciously deleted records won't synchronize, so logout-login will restore all data, although some local changes may be lost if the malicious deletion causes the sync process to fail to proceed to push stage.

No way to breach confidentiality with this vulnerability is known. Full exploitation of SQL Injection is mitigated, because it's not possible to nest an insert/update query inside a delete query in SQLite, and it's not possible to pass a semicolon-separated second query. There's also no known practicable way to breach confidentiality by selectively deleting records, because those records will not be synchronized.

It's theoretically possible that selective record deletion could cause an app to behave insecurely if lack of a record is used to make security decisions by the app.

Patches

Patched versions include:

0.15.1
0.16.2
0.16.1-fix
- this is actually the same as 0.16.0, but with the patch applied - as 0.16.1 is causing issues for some users
924c7ae2a8d commit id contains the patch

Workarounds

Ensure that your backend service sanitizes record IDs sent in the pull sync endpoint, such that only IDs matching /^[a-zA-Z0-9_-.]+$/ are returned. This could also be done in JavaScript pullChanges function passed to synchronize()
If you use destroyDeletedRecords directly, validate all IDs passed the same way

For more information

If you have any questions about this advisory, contact @radex.

Severity ?

5.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@nozbe/watermelondb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.15.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@nozbe/watermelondb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.16.0"
            },
            {
              "fixed": "0.16.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-4035"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-03T16:41:43Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nMedium severity 5.9 https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H\n\nA maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to become unusable.\n\nThis may happen in apps that don\u0027t validate IDs (valid IDs are `/^[a-zA-Z0-9_-.]+$/`) and use Watermelon Sync or low-level `database.adapter.destroyDeletedRecords` method.\n\nThe integrity risk is low due to the fact that maliciously deleted records won\u0027t synchronize, so logout-login will restore all data, although some local changes may be lost if the malicious deletion causes the sync process to fail to proceed to push stage.\n\nNo way to breach confidentiality with this vulnerability is known. Full exploitation of SQL Injection is mitigated, because it\u0027s not possible to nest an insert/update query inside a delete query in SQLite, and it\u0027s not possible to pass a semicolon-separated second query. There\u0027s also no known practicable way to breach confidentiality by selectively deleting records, because those records will not be synchronized.\n\nIt\u0027s theoretically possible that selective record deletion could cause an app to behave insecurely if lack of a record is used to make security decisions by the app. \n\n## Patches\n\nPatched versions include:\n\n- 0.15.1\n- 0.16.2\n- 0.16.1-fix\n\t- this is actually the same as 0.16.0, but with the patch applied - as 0.16.1 is causing issues for some users\n- `924c7ae2a8d` commit id contains the patch\n\n## Workarounds\n\n1. Ensure that your backend service sanitizes record IDs sent in the `pull sync` endpoint, such that only IDs matching `/^[a-zA-Z0-9_-.]+$/` are returned. This could also be done in JavaScript `pullChanges` function passed to `synchronize()`\n2. If you use `destroyDeletedRecords` directly, validate all IDs passed the same way\n\n## For more information\n\nIf you have any questions about this advisory, contact @radex.",
  "id": "GHSA-38f9-m297-6q9g",
  "modified": "2021-01-08T20:15:00Z",
  "published": "2020-06-03T21:57:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4035"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Nozbe/WatermelonDB/commit/924c7ae2a8d7d6459656751e5b9b1bf91a218025"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DoS via malicious record IDs in WatermelonDB"
}

GSD-2020-4035

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2020-4035

Aliases

CVE-2020-4035

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-4035",
    "description": "In WatermelonDB (NPM package \"@nozbe/watermelondb\") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to become unusable. This may happen in apps that don\u0027t validate IDs (valid IDs are `/^[a-zA-Z0-9_-.]+$/`) and use Watermelon Sync or low-level `database.adapter.destroyDeletedRecords` method. The integrity risk is low due to the fact that maliciously deleted records won\u0027t synchronize, so logout-login will restore all data, although some local changes may be lost if the malicious deletion causes the sync process to fail to proceed to push stage. No way to breach confidentiality with this vulnerability is known. Full exploitation of SQL Injection is mitigated, because it\u0027s not possible to nest an insert/update query inside a delete query in SQLite, and it\u0027s not possible to pass a semicolon-separated second query. There\u0027s also no known practicable way to breach confidentiality by selectively deleting records, because those records will not be synchronized. It\u0027s theoretically possible that selective record deletion could cause an app to behave insecurely if lack of a record is used to make security decisions by the app. This is patched in versions 0.15.1, 0.16.2, and 0.16.1-fix",
    "id": "GSD-2020-4035"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-4035"
      ],
      "details": "In WatermelonDB (NPM package \"@nozbe/watermelondb\") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to become unusable. This may happen in apps that don\u0027t validate IDs (valid IDs are `/^[a-zA-Z0-9_-.]+$/`) and use Watermelon Sync or low-level `database.adapter.destroyDeletedRecords` method. The integrity risk is low due to the fact that maliciously deleted records won\u0027t synchronize, so logout-login will restore all data, although some local changes may be lost if the malicious deletion causes the sync process to fail to proceed to push stage. No way to breach confidentiality with this vulnerability is known. Full exploitation of SQL Injection is mitigated, because it\u0027s not possible to nest an insert/update query inside a delete query in SQLite, and it\u0027s not possible to pass a semicolon-separated second query. There\u0027s also no known practicable way to breach confidentiality by selectively deleting records, because those records will not be synchronized. It\u0027s theoretically possible that selective record deletion could cause an app to behave insecurely if lack of a record is used to make security decisions by the app. This is patched in versions 0.15.1, 0.16.2, and 0.16.1-fix",
      "id": "GSD-2020-4035",
      "modified": "2023-12-13T01:21:48.125857Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-4035",
        "STATE": "PUBLIC",
        "TITLE": "DoS or local data modification via malicious record IDs in WatermelonDB"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "WatermelonDB",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 0.15.1"
                        },
                        {
                          "version_value": "\u003e= 0.16.0, \u003c 0.16.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Nozbe"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In WatermelonDB (NPM package \"@nozbe/watermelondb\") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to become unusable. This may happen in apps that don\u0027t validate IDs (valid IDs are `/^[a-zA-Z0-9_-.]+$/`) and use Watermelon Sync or low-level `database.adapter.destroyDeletedRecords` method. The integrity risk is low due to the fact that maliciously deleted records won\u0027t synchronize, so logout-login will restore all data, although some local changes may be lost if the malicious deletion causes the sync process to fail to proceed to push stage. No way to breach confidentiality with this vulnerability is known. Full exploitation of SQL Injection is mitigated, because it\u0027s not possible to nest an insert/update query inside a delete query in SQLite, and it\u0027s not possible to pass a semicolon-separated second query. There\u0027s also no known practicable way to breach confidentiality by selectively deleting records, because those records will not be synchronized. It\u0027s theoretically possible that selective record deletion could cause an app to behave insecurely if lack of a record is used to make security decisions by the app. This is patched in versions 0.15.1, 0.16.2, and 0.16.1-fix"
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g",
            "refsource": "CONFIRM",
            "url": "https://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g"
          },
          {
            "name": "https://github.com/Nozbe/WatermelonDB/commit/924c7ae2a8d7d6459656751e5b9b1bf91a218025",
            "refsource": "MISC",
            "url": "https://github.com/Nozbe/WatermelonDB/commit/924c7ae2a8d7d6459656751e5b9b1bf91a218025"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-38f9-m297-6q9g",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.15.1||\u003e=0.16.0 \u003c0.16.2",
          "affected_versions": "All versions before 0.15.1, all versions starting from 0.16.0 before 0.16.2",
          "cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-89",
            "CWE-937"
          ],
          "date": "2021-01-08",
          "description": "In WatermelonDB (NPM package \"@nozbe/watermelondb\"), a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to become unusable. This may happen in apps that don\u0027t validate IDs (valid IDs are `/^[a-zA-Z0-9_-.]+$/`) and use Watermelon Sync or low-level `database.adapter.destroyDeletedRecords` method. The integrity risk is low due to the fact that maliciously deleted records won\u0027t synchronize, so logout-login will restore all data, although some local changes may be lost if the malicious deletion causes the sync process to fail to proceed to push stage. No way to breach confidentiality with this vulnerability is known. Full exploitation of SQL Injection is mitigated, because it\u0027s not possible to nest an insert/update query inside a delete query in SQLite, and it\u0027s not possible to pass a semicolon-separated second query. There\u0027s also no known practicable way to breach confidentiality by selectively deleting records, because those records will not be synchronized. It\u0027s theoretically possible that selective record deletion could cause an app to behave insecurely if lack of a record is used to make security decisions by the app. This is patched ",
          "fixed_versions": [
            "0.15.1",
            "0.16.2"
          ],
          "identifier": "CVE-2020-4035",
          "identifiers": [
            "GHSA-38f9-m297-6q9g",
            "CVE-2020-4035"
          ],
          "not_impacted": "All versions starting from 0.15.1 before 0.16.0, all versions starting from 0.16.2",
          "package_slug": "npm/@nozbe/watermelondb",
          "pubdate": "2020-06-03",
          "solution": "Upgrade to versions 0.15.1, 0.16.2 or above.",
          "title": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
          "urls": [
            "https://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g",
            "https://github.com/Nozbe/WatermelonDB/commit/924c7ae2a8d7d6459656751e5b9b1bf91a218025",
            "https://nvd.nist.gov/vuln/detail/CVE-2020-4035",
            "https://github.com/advisories/GHSA-38f9-m297-6q9g"
          ],
          "uuid": "d68d87fb-85b1-489f-a24c-e79d7bb013a8"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:nozbe:watermelondb:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.15.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:nozbe:watermelondb:0.16.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:nozbe:watermelondb:0.16.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-4035"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In WatermelonDB (NPM package \"@nozbe/watermelondb\") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to become unusable. This may happen in apps that don\u0027t validate IDs (valid IDs are `/^[a-zA-Z0-9_-.]+$/`) and use Watermelon Sync or low-level `database.adapter.destroyDeletedRecords` method. The integrity risk is low due to the fact that maliciously deleted records won\u0027t synchronize, so logout-login will restore all data, although some local changes may be lost if the malicious deletion causes the sync process to fail to proceed to push stage. No way to breach confidentiality with this vulnerability is known. Full exploitation of SQL Injection is mitigated, because it\u0027s not possible to nest an insert/update query inside a delete query in SQLite, and it\u0027s not possible to pass a semicolon-separated second query. There\u0027s also no known practicable way to breach confidentiality by selectively deleting records, because those records will not be synchronized. It\u0027s theoretically possible that selective record deletion could cause an app to behave insecurely if lack of a record is used to make security decisions by the app. This is patched in versions 0.15.1, 0.16.2, and 0.16.1-fix"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-89"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/Nozbe/WatermelonDB/commit/924c7ae2a8d7d6459656751e5b9b1bf91a218025",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/Nozbe/WatermelonDB/commit/924c7ae2a8d7d6459656751e5b9b1bf91a218025"
            },
            {
              "name": "https://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.6,
          "impactScore": 4.2
        }
      },
      "lastModifiedDate": "2020-06-11T19:56Z",
      "publishedDate": "2020-06-03T17:15Z"
    }
  }
}

CNVD-2021-31255

Vulnerability from cnvd - Published: 2021-04-27

Title

WatermelonDB SQL注入漏洞

Description

WatermelonDB是下一代React数据库，可构建功能强大的 React 和 React Native 应用程序，可在保持快速的同时从数百个记录扩展到数万个记录。 WatermelonDB 0.15.1之前版本和0.16.2之前版本中存在SQL注入漏洞，该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证，攻击者可利用该漏洞执行非法SQL命令。

Severity

中

Patch Name

WatermelonDB SQL注入漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-4035

Impacted products

Name
['WatermelonDB WatermelonDB <0.15.1', 'WatermelonDB WatermelonDB <0.16.2']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-4035"
    }
  },
  "description": "WatermelonDB\u662f\u4e0b\u4e00\u4ee3React\u6570\u636e\u5e93\uff0c\u53ef\u6784\u5efa\u529f\u80fd\u5f3a\u5927\u7684 React \u548c React Native\n\u5e94\u7528\u7a0b\u5e8f\uff0c\u53ef\u5728\u4fdd\u6301\u5feb\u901f\u7684\u540c\u65f6\u4ece\u6570\u767e\u4e2a\u8bb0\u5f55\u6269\u5c55\u5230\u6570\u4e07\u4e2a\u8bb0\u5f55\u3002\n\nWatermelonDB 0.15.1\u4e4b\u524d\u7248\u672c\u548c0.16.2\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u57fa\u4e8e\u6570\u636e\u5e93\u7684\u5e94\u7528\u7f3a\u5c11\u5bf9\u5916\u90e8\u8f93\u5165SQL\u8bed\u53e5\u7684\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u975e\u6cd5SQL\u547d\u4ee4\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/Nozbe/WatermelonDB/security/advisories/GHSA-38f9-m297-6q9g",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-31255",
  "openTime": "2021-04-27",
  "patchDescription": "WatermelonDB\u662f\u4e0b\u4e00\u4ee3React\u6570\u636e\u5e93\uff0c\u53ef\u6784\u5efa\u529f\u80fd\u5f3a\u5927\u7684 React \u548c React Native\r\n\u5e94\u7528\u7a0b\u5e8f\uff0c\u53ef\u5728\u4fdd\u6301\u5feb\u901f\u7684\u540c\u65f6\u4ece\u6570\u767e\u4e2a\u8bb0\u5f55\u6269\u5c55\u5230\u6570\u4e07\u4e2a\u8bb0\u5f55\u3002\r\n\r\nWatermelonDB 0.15.1\u4e4b\u524d\u7248\u672c\u548c0.16.2\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u57fa\u4e8e\u6570\u636e\u5e93\u7684\u5e94\u7528\u7f3a\u5c11\u5bf9\u5916\u90e8\u8f93\u5165SQL\u8bed\u53e5\u7684\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u975e\u6cd5SQL\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "WatermelonDB SQL\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "WatermelonDB WatermelonDB \u003c0.15.1",
      "WatermelonDB WatermelonDB \u003c0.16.2"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-4035",
  "serverity": "\u4e2d",
  "submitTime": "2020-06-04",
  "title": "WatermelonDB SQL\u6ce8\u5165\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-4035 (GCVE-0-2020-4035)

FKIE_CVE-2020-4035

GHSA-38F9-M297-6Q9G

Impact

Patches

Workarounds

For more information

GSD-2020-4035

CNVD-2021-31255

Tags

Sightings

Nomenclature