CVE-2023-30625
published 2023-06-16CVE-2023-30625: rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL…
PriorityP187high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
85.82%
99.7th percentile
rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution (RCE) due to the `rudder` role in PostgresSQL having superuser permissions by default. Version 1.3.0-rc.1 contains patches for this issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | rudderlabs_rudder-server | >= 0 < 1.3.0-rc.1 | 1.3.0-rc.1 |
| rudderlabs | rudder-server | < 1.3.0-rc.1 | 1.3.0-rc.1 |
| rudderstack | rudder-server | <= 1.2.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for POST requests to /v1/warehouse/pending-events containing SQL injection payloads in the 'source_id' JSON field, specifically patterns using single-quote escapes and PostgreSQL COPY TO PROGRAM syntax. ↗
- →A server response containing the string 'error getting pending' with HTTP 500 status indicates successful triggering of the vulnerable code path. ↗
- →Exploitation leverages PostgreSQL's COPY TO PROGRAM command for RCE, possible because the 'rudder' role has superuser permissions by default. Monitor PostgreSQL logs for COPY TO PROGRAM executions originating from the rudder-server process. ↗
- →A Metasploit module exists for this vulnerability (exploits/multi/http/rudder_server_sqli_rce). Presence of this module's traffic patterns or User-Agent strings in logs may indicate active exploitation attempts. ↗
- ·The vulnerability is only exploitable in rudder-server versions prior to 1.3.0-rc.1. Ensure version detection is part of your triage process before escalating alerts. ↗
- ·RCE impact is contingent on the PostgreSQL 'rudder' role retaining its default superuser permissions. Environments that have hardened PostgreSQL role permissions may not be susceptible to the RCE escalation, though SQL injection still applies. ↗
- ·The Nuclei template uses an out-of-band (interactsh DNS) callback to confirm exploitation. Detection rules relying solely on HTTP response body matching ('error getting pending' + HTTP 500) may produce false positives without the OOB confirmation step. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
rudder-server is vulnerable to SQL injection in github.com/rudderlabs/rudder-server
osv·2024-08-20
CVE-2023-30625 rudder-server is vulnerable to SQL injection in github.com/rudderlabs/rudder-server
rudder-server is vulnerable to SQL injection in github.com/rudderlabs/rudder-server
rudder-server is vulnerable to SQL injection in github.com/rudderlabs/rudder-server
GHSA
rudder-server is vulnerable to SQL injection
ghsa·2024-08-05
CVE-2023-30625 [CRITICAL] CWE-89 rudder-server is vulnerable to SQL injection
rudder-server is vulnerable to SQL injection
rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution (RCE) due to the `rudder` role in PostgresSQL having superuser permissions by default. Version 1.3.0-rc.1 contains patches for this issue.
OSV
rudder-server is vulnerable to SQL injection
osv·2024-08-05
CVE-2023-30625 [CRITICAL] rudder-server is vulnerable to SQL injection
rudder-server is vulnerable to SQL injection
rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution (RCE) due to the `rudder` role in PostgresSQL having superuser permissions by default. Version 1.3.0-rc.1 contains patches for this issue.
VulnCheck
rudderstack rudder-server Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2023·CVSS 8.8
CVE-2023-30625 [HIGH] rudderstack rudder-server Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
rudderstack rudder-server Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution (RCE) due to the `rudder` role in PostgresSQL having superuser permissions by default. Version 1.3.0-rc.1 contains patches for this issue.
Affected: rudderstack rudder-server
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-04&host_type=src&vulnerability=cve-2
No detection rules found.
Metasploit
Rudder Server SQLI Remote Code Execution
metasploit
Rudder Server SQLI Remote Code Execution
Rudder Server SQLI Remote Code Execution
This Metasploit module exploits a SQL injection vulnerability in RudderStack's rudder-server, an open source Customer Data Platform (CDP). The vulnerability exists in versions of rudder-server prior to 1.3.0-rc.1. By exploiting this flaw, an attacker can execute arbitrary SQL commands, which may lead to Remote Code Execution (RCE) due to the `rudder` role in PostgreSQL having superuser permissions by default.
Nuclei
Rudder Server < 1.3.0-rc.1 - SQL Injection
nuclei·CVSS 8.8
CVE-2023-30625 [HIGH] Rudder Server < 1.3.0-rc.1 - SQL Injection
Rudder Server < 1.3.0-rc.1 - SQL Injection
Rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution (RCE) due to the `rudder` role in PostgresSQL having superuser permissions by default. Version 1.3.0-rc.1 contains patches for this issue.
Template:
id: CVE-2023-30625
info:
name: Rudder Server < 1.3.0-rc.1 - SQL Injection
author: gy741
severity: high
description: |
Rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution (RCE) due to the `rudder` role in PostgresSQL having superuser permissio
No writeups or analysis indexed.
http://packetstormsecurity.com/files/173837/Rudder-Server-SQL-Injection-Remote-Code-Execution.htmlhttps://github.com/rudderlabs/rudder-server/commit/0d061ff2d8c16845179d215bf8012afceba12a30https://github.com/rudderlabs/rudder-server/commit/2f956b7eb3d5eb2de3e79d7df2c87405af25071ehttps://github.com/rudderlabs/rudder-server/commit/9c009d9775abc99e72fc470f4c4c8e8f1775e82ahttps://github.com/rudderlabs/rudder-server/pull/2652https://github.com/rudderlabs/rudder-server/pull/2663https://github.com/rudderlabs/rudder-server/pull/2664https://securitylab.github.com/advisories/GHSL-2022-097_rudder-server/http://packetstormsecurity.com/files/173837/Rudder-Server-SQL-Injection-Remote-Code-Execution.htmlhttps://github.com/rudderlabs/rudder-server/commit/0d061ff2d8c16845179d215bf8012afceba12a30https://github.com/rudderlabs/rudder-server/commit/2f956b7eb3d5eb2de3e79d7df2c87405af25071ehttps://github.com/rudderlabs/rudder-server/commit/9c009d9775abc99e72fc470f4c4c8e8f1775e82ahttps://github.com/rudderlabs/rudder-server/pull/2652https://github.com/rudderlabs/rudder-server/pull/2663https://github.com/rudderlabs/rudder-server/pull/2664https://securitylab.github.com/advisories/GHSL-2022-097_rudder-server/
2023-06-16
Published
Exploited in the wild