PgHero can expose data to users through the EXPLAIN feature. This vulnerability has been assigned the CVE identifier CVE-2023-22626.

Versions Affected: 0.1.1 to 3.0.1
Fixed Versions: 3.1.0

Impact

A malicious PgHero user can use the EXPLAIN functionality to extract data from the database. With certain inputs, a user can get the results of a query to appear in an error message. If the PgHero database user has superuser privileges (not recommended), the user can use file access functions to read files on the database server.

Mitigation

All users running an affected version should upgrade when possible.

See #438 for related EXPLAIN security considerations and changes in this release.

Credit

Thanks to Seryun Ham of https://horangi.com (blog) for reporting this.