CVE-2022-35942

Name of the Vulnerable Software and Affected Versions LoopBack versions prior to 5.5.1

Description Improper input validation on the contains LoopBack filter may allow for arbitrary SQL injection. When the extended filter property contains is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. This affects users who connect to the database via the DataSource with allowExtendedProperties: true setting, use the connector's CRUD methods directly, or use the connector's other methods to interpret the LoopBack filter.

Recommendations For versions prior to 5.5.1, upgrade to version 5.5.1 to resolve the issue. If unable to upgrade, remove allowExtendedProperties: true DataSource setting and add allowExtendedProperties: false DataSource setting. When passing directly to the connector functions, manually sanitize the user input for the contains LoopBack filter beforehand.