|
|
|
|
|
|
by lazycog512
494 days ago
|
|
|
"Because of how PostgreSQL string escaping routines handle invalid UTF-8 characters, in combination with how invalid byte sequences within the invalid UTF-8 characters are processed by psql, an attacker can leverage CVE-2025-1094 to generate a SQL injection." UTF-8 and its consequences have been a disaster for information security |
|
|
"Running meta-commands can extend psql's functionality, and it's through these that an attacker can feasibly achieve ACE by using the exclamation mark meta-command to execute a shell command on the operating system. Attackers can also use the vulnerability to execute SQL statements of their choosing."
I don't know PostgreSQL very well, but being able to execute shell commands by default seems like an obvious footgun.