Lucene search

K

[email protected]NVD:CVE-2023-30625

HistoryJun 16, 2023 - 5:15 p.m.

CVE-2023-30625

2023-06-1617:15:11

CWE-89

[email protected]

web.nvd.nist.gov

3

rudderstack

sql injection

remote code execution

postgressql

patch

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.943 High

EPSS

Percentile

99.2%

rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution (RCE) due to the rudder role in PostgresSQL having superuser permissions by default. Version 1.3.0-rc.1 contains patches for this issue.

Affected configurations

NVD

Node

rudderstackrudder-serverRange≤1.2.5

References

packetstormsecurity.com/files/173837/Rudder-Server-SQL-Injection-Remote-Code-Execution.html

github.com/rudderlabs/rudder-server/commit/0d061ff2d8c16845179d215bf8012afceba12a30

github.com/rudderlabs/rudder-server/commit/2f956b7eb3d5eb2de3e79d7df2c87405af25071e

github.com/rudderlabs/rudder-server/commit/9c009d9775abc99e72fc470f4c4c8e8f1775e82a

github.com/rudderlabs/rudder-server/pull/2652

github.com/rudderlabs/rudder-server/pull/2663

github.com/rudderlabs/rudder-server/pull/2664

securitylab.github.com/advisories/GHSL-2022-097_rudder-server/

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.943 High

EPSS

Percentile

99.2%

Related for NVD:CVE-2023-30625

prion1 nuclei1 cve1 veracode1 metasploit1 zdt1 osv1 cvelist1 packetstorm1 rapid7blog1