CVE-2022-45786 in AGE
Summary
by MITRE • 02/04/2023
There are issues with the AGE drivers for Golang and Python that enable SQL injections to occur. This impacts AGE for PostgreSQL 11 & AGE for PostgreSQL 12, all versions up-to-and-including 1.1.0, when using those drivers. The fix is to update to the latest Golang and Python drivers in addition to the latest version of AGE that is used for PostgreSQL 11 or PostgreSQL 12. The update of AGE will add a new function to enable parameterization of the cypher() function, which, in conjunction with the driver updates, will resolve this issue. Background (for those who want more information): After thoroughly researching this issue, we found that due to the nature of the cypher() function, it was not easy to parameterize the values passed into it. This enabled SQL injections, if the developer of the driver wasn't careful. The developer of the Golang and Pyton drivers didn't fully utilize parameterization, likely because of this, thus enabling SQL injections. The obvious fix to this issue is to use parameterization in the drivers for all PG SQL queries. However, parameterizing all PG queries is complicated by the fact that the cypher() function call itself cannot be parameterized directly, as it isn't a real function. At least, not the parameters that would take the graph name and cypher query. The reason the cypher() function cannot have those values parameterized is because the function is a placeholder and never actually runs. The cypher() function node, created by PG in the query tree, is transformed and replaced with a query tree for the actual cypher query during the analyze phase. The problem is that parameters - that would be passed in and that the cypher() function transform needs to be resolved - are only resolved in the execution phase, which is much later. Since the transform of the cypher() function needs to know the graph name and cypher query prior to execution, they can't be passed as parameters. The fix that we are testing right now, and are proposing to use, is to create a function that will be called prior to the execution of the cypher() function transform. This new function will allow values to be passed as parameters for the graph name and cypher query. As this command will be executed prior to the cypher() function transform, its values will be resolved. These values can then be cached for the immediately following cypher() function transform to use. As added features, the cached values will store the calling session's pid, for validation. And, the cypher() function transform will clear this cached information after function invocation, regardless of whether it was used. This method will allow the parameterizing of the cypher() function indirectly and provide a way to lock out SQL injection attacks.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/05/2023
The vulnerability described in CVE-2022-45786 represents a critical security flaw affecting the Apache AGE (Advanced Graph Engine) extension for PostgreSQL versions 11 and 12. This issue specifically targets the Golang and Python drivers that interface with AGE, creating a pathway for SQL injection attacks due to insufficient parameterization mechanisms. The vulnerability stems from the inherent design of the cypher() function within the AGE framework, which operates as a placeholder node in PostgreSQL's query tree rather than a traditional SQL function. This architectural characteristic fundamentally prevents direct parameterization of graph names and cypher queries, as the transformation process occurs during the analyze phase while parameter resolution happens during execution, creating a temporal mismatch that security researchers have identified as a significant weakness.
The technical implementation of this vulnerability demonstrates a sophisticated understanding of PostgreSQL's query processing pipeline and how graph database functions interact with traditional SQL engines. The cypher() function node is essentially a placeholder that gets replaced with an actual query tree during the analysis phase, but this transformation requires access to graph names and cypher queries before execution can begin. This design constraint creates a window where unparameterized inputs can be exploited, particularly when developers of the Golang and Python drivers fail to implement proper input sanitization measures. The vulnerability aligns with CWE-89, which specifically addresses SQL injection flaws, and represents a variant where the injection vector emerges from the complex interaction between graph query processing and traditional SQL parameter handling. The flaw is particularly concerning because it affects the core driver functionality that applications depend upon to communicate with graph databases through PostgreSQL's AGE extension.
The operational impact of this vulnerability extends beyond simple data integrity concerns to potentially enable full database compromise when attackers exploit the parameterization gap. An attacker could craft malicious cypher queries that, when processed through affected drivers, would be executed with elevated privileges, potentially leading to data exfiltration, modification, or even complete system compromise. The vulnerability affects all versions of AGE up to and including 1.1.0, making it particularly widespread among deployments that have not yet upgraded to newer versions. Organizations using AGE with PostgreSQL 11 or 12 who rely on Golang or Python applications for database interactions face significant risk, especially in environments where the drivers are not properly configured with input validation or where applications directly pass user-supplied data into cypher queries without proper sanitization.
The recommended mitigation strategy involves a multi-layered approach that addresses both the driver-level implementation and the AGE extension itself. The primary solution requires updating to the latest versions of both the Golang and Python drivers alongside the newest AGE releases for PostgreSQL 11 and 12. This update introduces a new function that enables parameterization of the cypher() function through an indirect caching mechanism that resolves values before the transformation process begins. The proposed fix implements a session-based validation system that caches resolved parameters using the calling session's process ID for verification, ensuring that cached values are only accessible within the correct execution context. This approach aligns with ATT&CK technique T1078.004, which addresses valid accounts and credential access, by preventing unauthorized parameter manipulation that could occur through SQL injection attacks. The solution effectively creates a secure parameter resolution pipeline that operates before the problematic transformation phase while maintaining backward compatibility through proper session isolation and automatic cache clearing mechanisms that prevent information leakage between different function invocations.