CVE-2024-43406

Name of the Vulnerable Software and Affected Versions LF Edge eKuiper versions prior to 1.14.2

Description A SQL Injection vulnerability exists in the sqlKvStore of LF Edge eKuiper, allowing the execution of malicious SQL queries via the Get method. This issue affects various handlers, including explainRuleHandler, sourceManageHandler, asyncTaskCancelHandler, and pluginHandler. The rule id can be used to exploit SQL queries, and the delete function is also vulnerable.

Recommendations For versions prior to 1.14.2, update to version 1.14.2 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable sqlKvStore module to minimize the risk of exploitation. Avoid using the rule id in the affected API endpoints until the issue is resolved.