CVE-2024-43406 LF Edge eKuiper has a SQL Injection in sqlKvStore

2024-08-2015:00:06

CWE-89

GitHub_M

www.cve.org

cve-2024-43406

lf edge ekuiper

sql injection

sqlkvstore

iot

data analytics

stream processing

get method

vulnerability

fixed

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

20.0%

JSON

LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2.

CNA Affected

[
  {
    "vendor": "lf-edge",
    "product": "ekuiper",
    "versions": [
      {
        "version": "< 1.14.2",
        "status": "affected"
      }
    ]
  }
]