Leonnewton

Name of the Vulnerable Software and Affected Versions: Devtron versions prior to 0.7.2 Description: Devtron is an open source tool integration platform for Kubernetes. An authenticated user with minimum permission could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via the CreateUser API (/orchestrator/user). The SQL injection can happen in the code where the `userInfo` parameter can be controlled by users, allowing the creation and execution of malicious SQL queries. The user should be authenticated but only needs minimum permissions. Recommendations: For Devtron versions prior to 0.7.2, update to version 0.7.2 to address this issue promptly. As a temporary workaround, consider restricting access to the CreateUser API (/orchestrator/user) until the update is applied. Avoid using the `userInfo` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** LF Edge eKuiper versions prior to 1.14.2 **Description** A SQL Injection vulnerability exists in the sqlKvStore of LF Edge eKuiper, allowing the execution of malicious SQL queries via the Get method. This issue affects various handlers, including explainRuleHandler, sourceManageHandler, asyncTaskCancelHandler, and pluginHandler. The `rule id` can be used to exploit SQL queries, and the delete function is also vulnerable. **Recommendations** For versions prior to 1.14.2, update to version 1.14.2 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable sqlKvStore module to minimize the risk of exploitation. Avoid using the `rule id` in the affected API endpoints until the issue is resolved.