cbcvebase.
CVE-2023-30625
published 2023-06-16

CVE-2023-30625: rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL…

PriorityP187high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
85.82%
99.7th percentile
rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution (RCE) due to the `rudder` role in PostgresSQL having superuser permissions by default. Version 1.3.0-rc.1 contains patches for this issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
github.comrudderlabs_rudder-server>= 0 < 1.3.0-rc.11.3.0-rc.1
rudderlabsrudder-server< 1.3.0-rc.11.3.0-rc.1
rudderstackrudder-server<= 1.2.5

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /v1/warehouse/pending-events HTTP/1.1
path/v1/warehouse/pending-events
commandtest'; copy (SELECT '') to program '{{cmd}}'-- -
  • Look for POST requests to /v1/warehouse/pending-events containing SQL injection payloads in the 'source_id' JSON field, specifically patterns using single-quote escapes and PostgreSQL COPY TO PROGRAM syntax.
  • A server response containing the string 'error getting pending' with HTTP 500 status indicates successful triggering of the vulnerable code path.
  • Exploitation leverages PostgreSQL's COPY TO PROGRAM command for RCE, possible because the 'rudder' role has superuser permissions by default. Monitor PostgreSQL logs for COPY TO PROGRAM executions originating from the rudder-server process.
  • A Metasploit module exists for this vulnerability (exploits/multi/http/rudder_server_sqli_rce). Presence of this module's traffic patterns or User-Agent strings in logs may indicate active exploitation attempts.
  • ·The vulnerability is only exploitable in rudder-server versions prior to 1.3.0-rc.1. Ensure version detection is part of your triage process before escalating alerts.
  • ·RCE impact is contingent on the PostgreSQL 'rudder' role retaining its default superuser permissions. Environments that have hardened PostgreSQL role permissions may not be susceptible to the RCE escalation, though SQL injection still applies.
  • ·The Nuclei template uses an out-of-band (interactsh DNS) callback to confirm exploitation. Detection rules relying solely on HTTP response body matching ('error getting pending' + HTTP 500) may produce false positives without the OOB confirmation step.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.