Threat Encyclopedia

JSON.function.based.SQL.Injection

description-logoDescription

Using JSON syntax, it is possible to craft new SQLi payloads. These payloads, since they are not commonly known, could be used to fly under the radar and bypass many security tools.

affected-products-logoAffected Products

PostgreSQL >= v9.2
MySQL >= v5.7.8
SQLite >= v3.38.0
SQLServer >= v2016

Impact logoImpact

SQL injection: Remote attackers can exploit SQL injection vulnerability that they used to exfiltrate users’ sessions, SSH keys, password hashes, tokens, and verification codes.

recomended-action-logoRecommended Actions

Apply the most recent upgrade or patch from the vend or disable JSON in DB.