Added CVE-2023-22626 for pghero (#533)

ankane · web-flow · commit 44535e83d84d · 2023-01-04T23:50:04.000-08:00
diff --git a/gems/pghero/CVE-2023-22626.yml b/gems/pghero/CVE-2023-22626.yml
@@ -0,0 +1,14 @@
+---
+gem: pghero
+cve: 2023-22626
+url: https://github.com/ankane/pghero/issues/439
+title: Information Disclosure Through EXPLAIN Feature
+date: 2023-01-04
+description: |
+  A malicious PgHero user can use the EXPLAIN functionality to extract data from
+  the database. With certain inputs, a user can get the results of a query to
+  appear in an error message. If the PgHero database user has superuser privileges
+  (not recommended), the user can use file access functions to read files on the
+  database server.
+patched_versions:
+- ">= 3.1.0"
