4 matches found
eKuiper API endpoints handling SQL queries with user-controlled table names.
Summary A critical SQL Injection vulnerability exists in the getLast API functionality of the eKuiper project. This flaw allows unauthenticated remote attackers to execute arbitrary SQL statements on the underlying SQLite database by manipulating the table name input in an API request. Exploitati...
GHSA-526J-MV3P-F4VV eKuiper API endpoints handling SQL queries with user-controlled table names.
Summary A critical SQL Injection vulnerability exists in the getLast API functionality of the eKuiper project. This flaw allows unauthenticated remote attackers to execute arbitrary SQL statements on the underlying SQLite database by manipulating the table name input in an API request. Exploitati...
GHSA-GJ54-GWJ9-X2C6 eKuiper /config/uploads API arbitrary file writing may lead to RCE
Summary eKuiper /config/uploads API supports accessing remote web URLs and saving files in the local upload directory, but there are no security restrictions, resulting in arbitrary file writing through ../. If run with root privileges, RCE can be achieved by writing crontab files or ssh keys...
eKuiper /config/uploads API arbitrary file writing may lead to RCE
Summary eKuiper /config/uploads API supports accessing remote web URLs and saving files in the local upload directory, but there are no security restrictions, resulting in arbitrary file writing through ../. If run with root privileges, RCE can be achieved by writing crontab files or ssh keys...