Supabase PostgreSQL v15.1 Vulnerable to SQL Injection via /pg_meta/default/query
CVE-2024-24213

9.8CRITICAL

Key Information:

Vendor: Supabase
Status: Postgresql
Vendor: CVE Published:; 8 February 2024

What is CVE-2024-24213?

A SQL injection vulnerability has been identified in the Supabase dashboard component of Supabase PostgreSQL version 15.1. The flaw resides in the /pg_meta/default/query interface, which is intended for executing SQL queries by authorized users through a guided UI. However, the vendor regards this behavior as an intended feature rather than a security flaw. Despite this position, users should exercise caution when interacting with this functionality, as the potential for misuse in unauthorized contexts exists, warranting attention to proper security practices.

References

https://app.flows.sh:8443/project/default%2C

https://reference1.example.com/project/default/logs/explo...

https://postfixadmin.ballardini.com.ar:8443/project/defau...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 8, 2024
Vulnerability Reserved
Jan 25, 2024

CVE-2024-24213 Data

JSON