Blvck-Ltr

**Name of the Vulnerable Software and Affected Versions** Kestra versions prior to 1.3.4 **Description** SQL Injection occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. This allows attackers to inject arbitrary SQL expressions into the database query. **Recommendations** Update to a version newer than 1.3.3.

Name of the Vulnerable Software and Affected Versions Kestra versions prior to 1.3.7 Description Kestra is an event-driven orchestration platform. Versions prior to 1.3.7 contain a SQL Injection vulnerability in the 'GET /api/v1/main/flows/search' endpoint, which can lead to Remote Code Execution (RCE). Authenticated users can trigger this issue by visiting a crafted link. The vulnerability exploits PostgreSQL's `COPY ... TO PROGRAM ...` functionality to execute arbitrary OS commands on the host system. Recommendations Update to version 1.3.7 or later.