Today we have released versions 4.3.2 and 4.2.4 of Nominatim. They fix a low-risk SQL injection issue in the nominatim CLI tool.
As part of the ongoing NGI Zero project, RadicallyOpenSecurity(ROS) was once more asked to take a look at the code of Nominatim from a security point of view. The focus this time was on all the new Python code created in the last two years.
They did find a possible SQL injection issue in the CLI function
nominatim admin --collect-os-info. It is possible to run arbitrary SQL
through a manipulated database name. ROS does classify the thread level
as low. The attacker needs access to the admin machine and credentials
that are easier used in a more direct way. You should update your
installation nonetheless. Only versions 4.2 and 4.3 are affected.
ROS did not find any other security issues. There are code smells, in particular related to SQL string formatting and XML generation. However, given that they found them not to be exploitable, we will address these as part of regular code maintenance.
Updating to the new patch releases is straightforward. Simply build and install the new version. If you are updating from 4.2.0 - 4.2.2, please make sure to consult the migration guide.