This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Electric SQL Engine has a **SQL Injection** flaw in the `/v1/shape` API's `order_by` parameter.β¦
π‘οΈ **Root Cause**: **CWE-89** (SQL Injection). The flaw stems from **improper validation** of the `order_by` parameter, allowing raw SQL expressions to be injected directly into queries without sanitization.
Q3Who is affected? (Versions/Components)
π¦ **Affected**: **Electric SQL** (Postgres real-time sync engine). Specifically versions **1.1.12** up to (but not including) **1.5.0**. π **Vendor**: electric-sql.
Q4What can hackers do? (Privileges/Data)
π΅οΈ **Attacker Capabilities**: Any **authenticated user** can exploit this. They gain the ability to **read**, **write**, and **destroy** all data in the underlying PostgreSQL database.β¦
π§ͺ **Public Exploit**: **No**. The `pocs` field is empty. While advisory links exist, there is no confirmed public Proof-of-Concept (PoC) or wild exploitation code available yet.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for Electric SQL instances running versions **1.1.12 - 1.4.x**. Check if the `/v1/shape` API endpoint is exposed and accepts `order_by` parameters.β¦
β **Fixed**: **Yes**. The vulnerability is patched in version **1.5.0** and later. π **Reference**: See GitHub Advisory GHSA-h5rg-pxx7-r2hj and PR #4081 for the official fix details.
Q9What if no patch? (Workaround)
π **No Patch Workaround**: If you cannot upgrade immediately, **restrict network access** to the `/v1/shape` API. Ensure strict **authentication controls** are in place.β¦
β‘ **Urgency**: **HIGH**. CVSS Score indicates **Critical** impact (C:H, I:H, A:H). Since it allows full database destruction by authenticated users, patch to **v1.5.0+** immediately. πββοΈπ¨