dbgate-api 7.0.6

Direct Vulnerabilities

Known vulnerabilities in the dbgate-api package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Arbitrary Code Injection dbgate-api is an Allows run DbGate data-manipulation scripts. Affected versions of this package are vulnerable to Arbitrary Code Injection in the `loadReader()` function in `runners.js`. The `functionName` parameter can be injected with arbitrary JavaScript, which is executed with the privileges of the running process. This is only exploitable if the attacker has basic authenticated access to the application. How to fix Arbitrary Code Injection? Upgrade `dbgate-api` to version 7.1.9 or higher.	<7.1.9
C Command Injection dbgate-api is an Allows run DbGate data-manipulation scripts. Affected versions of this package are vulnerable to Command Injection via the `functionName` parameter in the `/runners/load-reader` endpoint. An attacker can execute arbitrary operating system commands as the process user (root in Docker deployments) by injecting malicious input that is interpolated into dynamically generated JavaScript code. This allows the attacker to bypass mitigations and gain full control over the underlying system, leading to privilege escalation, theft of sensitive environment variables, extraction of credentials, network pivoting, and installation of persistent backdoors. How to fix Command Injection? Upgrade `dbgate-api` to version 7.1.9 or higher.	<7.1.9

Vulnerability

Vulnerable Version

Arbitrary Code Injection

dbgate-api is an Allows run DbGate data-manipulation scripts.

Affected versions of this package are vulnerable to Arbitrary Code Injection in the loadReader() function in runners.js. The functionName parameter can be injected with arbitrary JavaScript, which is executed with the privileges of the running process. This is only exploitable if the attacker has basic authenticated access to the application.

How to fix Arbitrary Code Injection?

Upgrade dbgate-api to version 7.1.9 or higher.

<7.1.9

Command Injection

dbgate-api is an Allows run DbGate data-manipulation scripts.

Affected versions of this package are vulnerable to Command Injection via the functionName parameter in the /runners/load-reader endpoint. An attacker can execute arbitrary operating system commands as the process user (root in Docker deployments) by injecting malicious input that is interpolated into dynamically generated JavaScript code. This allows the attacker to bypass mitigations and gain full control over the underlying system, leading to privilege escalation, theft of sensitive environment variables, extraction of credentials, network pivoting, and installation of persistent backdoors.

How to fix Command Injection?

Upgrade dbgate-api to version 7.1.9 or higher.

<7.1.9

dbgate-api@7.0.6

Allows run DbGate data-manipulation scripts.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically