CVE-2023-22626: PgHero Allows Information Disclosure Through EXPLAIN Feature

January 5, 2023 (updated January 11, 2023)

PgHero before 3.1.0 allows Information Disclosure via EXPLAIN because query results may be present in an error message. (Depending on database user privileges, this may only be information from the database, or may be information from file contents on the database server.)

References

github.com/advisories/GHSA-vf99-xw26-86g5
github.com/ankane/pghero/issues/439
github.com/rubysec/ruby-advisory-db/blob/master/gems/pghero/CVE-2023-22626.yml
nvd.nist.gov/vuln/detail/CVE-2023-22626

Code Behaviors & Features

Detect and mitigate CVE-2023-22626 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →