CVE-2020-26273 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	No
Type	Arbitrary filesystem access
Description	In osquery before version 4.6.0, by using sqlite's ATTACH verb, someone with administrative access to osquery can cause reads and writes to arbitrary sqlite databases on disk. This does allow arbitrary files to be created, but they will be sqlite databases.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1367	osquery	4.5.1-8	4.6.0-1	Medium	Fixed

References
https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8 https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c

References

https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension
https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c

Notes
Workaround ========== This issue can be mitigated by filtering for the ATTACH keyword or running osquery as a non-root user.