CVE Request 6: Path Traversal in read_log Module

 

• Title: Path Traversal Vulnerability in read_log Module Due to Unvalidated File Path

• Affected Component: module/read_log.go, Prepare Method

• Attack Vector: Malicious SQL query, such as SELECT * FROM read_log('/proc/self/environ' AS path).

• Description: The read_log function reads files based on user-supplied paths without validation, allowing attackers to view arbitrary server files.

• Vulnerability Type: Path Traversal (CWE-22)

• Impact: May expose environment variables or other confidential runtime information, increasing the risk of further attacks.

• Suggested Fix: Normalize the file path input using filepath.Clean, ensure it’s absolute, and restrict access to a specific directory subtree.