CVE-2022-0839 In liquibase/liquibase prior to 4.8.0, the GitHub repository had an Improper Restriction of XML Entity Reference. This vulnerability, when exploited, could lead to information disclosure.

This issue affects any application that relies on Liquibase to automatically enforce data integrity rules on a repository’s code base. It may also affect applications that maintain data integrity rules on a remote Git or Mercurial repository through Liquibase’s support for other source control systems. The issue is triggered when a user creates a new Liquibase database from a GitHub repository. If the user does not have write access to the code base, the Liquibase server will automatically restrict the entity reference to the repository to the read-only state. The Liquibase server will then automatically enforce data integrity rules for the entity reference to the repository.

Description of the vulnerability

Liquibase versions 2.0.2 through 3.3.1 can be exploited by a malicious user to produce arbitrary database credentials by crafting a SQL statement that references a repository and inserts the SQLite schema into the Liquibase database, then deleting the Liquibase project and the corresponding configuration file from the application's webroot directory.

How does this work?

Liquibase manages data integrity rules on a repository through entity references. If a user creates a new Liquibase database from a GitHub repository, and the user does not have write access to the code base, the Liquibase server will automatically restrict the entity reference to the repository to the read-only state. The Liquibase server will then automatically enforce data integrity rules for this entity reference in order to maintain data integrity in that database.

Error Message and How to Avoid It

A warning message may appear in an application log when the Liquibase server scans a database for data integrity violations:
WARNING: [200] Entity reference is read-only.
The entity reference refers to a table or column in a database. This issue can be avoided by ensuring that the user has write access to the repository that is being referenced by the Liquibase server before creating a new Liquibase database from it.

Solution: Install the latest version of Liquibase

If you are using GitHub as your source control system, you should install the latest version of Liquibase. If you are not using GitHub, please refer to the Liquibase documentation for more information on how to upgrade your database.

Timeline

Published on: 03/04/2022 15:15:00 UTC
Last modified on: 07/25/2022 18:19:00 UTC

References

• https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381
• https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0839