PT-2023-22822 · Unknown · Rudder-Server+1
Kevin Stubbings
+1
·
Published
2023-06-16
·
Updated
2024-08-20
·
CVE-2023-30625
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N |
Name of the Vulnerable Software and Affected Versions
rudder-server versions prior to 1.3.0-rc.1
Description
The issue is related to SQL injection, which may lead to Remote Code Execution (RCE) due to the
rudder role in PostgresSQL having superuser permissions by default.Recommendations
For versions prior to 1.3.0-rc.1, update to version 1.3.0-rc.1 to resolve the issue. As a temporary workaround, consider restricting the
rudder role permissions in PostgresSQL to minimize the risk of exploitation.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Postgresql
Rudder-Server