CVE-2024-43406

Advisory

eKuiper affected versions contain a SQL Injection vulnerability in the `Get` and `Delete` methods of `sqlKvStore`. A malicious user can exploit this by injecting arbitrary SQL through the `rule id` parameter, allowing unauthorized execution of SQL queries. This vulnerability is present in several endpoints, including `explainRuleHandler`, `sourceManageHandler`, `asyncTaskCancelHandler`, and `pluginHandler`, potentially leading to data breaches or unauthorized data manipulation.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503
• https://github.com/advisories/GHSA-r5ph-4jxm-6j9p
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43406