CVE-2020-26273 log

Source
Severity Medium
Remote No
Type Arbitrary filesystem access
Description
In osquery before version 4.6.0, by using sqlite's ATTACH verb, someone with administrative access to osquery can cause reads and writes to arbitrary sqlite databases on disk. This does allow arbitrary files to be created, but they will be sqlite databases.
Group Package Affected Fixed Severity Status Ticket
AVG-1367 osquery 4.5.1-3 Medium Vulnerable
References
https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension
https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c
Notes
Workaround
==========

This issue can be mitigated by filtering for the ATTACH keyword or running osquery as a non-root user.