JVNDB-2014-000142

[Japanese]
JVNDB-2014-000142
DBD::PgPP vulnerable to SQL injection
Overview
DBD::PgPP is a pure-Perl client interface for the PostgreSQL database. DBD::PgPP contains a SQL injection vulnerability. Toshiharu Sugiyama reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)
CVSS V2 Severity: Base Metrics 6.8 (Medium) [IPA Score] Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
Affected Products

DBD::PgPP DBD::PgPP Version 0.05 and earlier

Impact
If DBD::PgPP is used in a program, a remote attacker may execute an arbitrary SQL command.
Solution
[Update the software] Update to the latest version according to the information provided by the developer.
Vendor Information
DBD::PgPP DBD::PgPP : DBD::PgPP - Pure Perl PostgreSQL driver for the DBI DBD::PgPP : Bug #23900 for DBD-PgPP: Handling of a '?'-containing argument in function execute DBD::PgPP : Bug #32864 for DBD-PgPP: DBD::PgPP bug
CWE (What is CWE?)
SQL Injection(CWE-89) [IPA Evaluation]
CVE (What is CVE?)
CVE-2014-7257
References
JVN : JVN#70490316
Revision History
[2014/12/03] Web page was published

DBD::PgPP vulnerable to SQL injection