Lucene search

GoogleOSV:PYSEC-2024-72

HistoryAug 20, 2024 - 3:15 p.m.

PYSEC-2024-72

2024-08-2015:15:00

Google

osv.dev

lf edge ekuiper

sql injection

fix

1.14.2

iot

data analytics

stream processing

edge devices

get method

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

20.0%

JSON

LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2.

References

github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503

github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

20.0%

JSON

Related for OSV:PYSEC-2024-72