CVE-2024-43406
published 2024-08-20CVE-2024-43406: LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit…
PriorityP353high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.89%
55.0th percentile
LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | lf-edge_ekuiper | >= 0 < 1.14.2 | 1.14.2 |
| lf-edge | ekuiper | < 1.14.2 | 1.14.2 |
| lf-edge | ekuiper | >= 0 < 1.14.2 | 1.14.2 |
| lf-edge | ekuiper | >= 0 < 1a9c745649438feaac357d282959687012b65503 | 1a9c745649438feaac357d282959687012b65503 |
| lfedge | ekuiper | < 1.14.2 | 1.14.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
LF Edge eKuiper has a SQL Injection in sqlKvStore in github.com/lf-edge/ekuiper
osv·2024-08-22
CVE-2024-43406 LF Edge eKuiper has a SQL Injection in sqlKvStore in github.com/lf-edge/ekuiper
LF Edge eKuiper has a SQL Injection in sqlKvStore in github.com/lf-edge/ekuiper
LF Edge eKuiper has a SQL Injection in sqlKvStore in github.com/lf-edge/ekuiper
GHSA
LF Edge eKuiper has a SQL Injection in sqlKvStore
ghsa·2024-08-20
CVE-2024-43406 [HIGH] CWE-89 LF Edge eKuiper has a SQL Injection in sqlKvStore
LF Edge eKuiper has a SQL Injection in sqlKvStore
### Summary
A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore.
### Details
I will use explainRuleHandler ("/rules/{name}/explain") as an example to illustrate. However, this vulnerability also exists in other methods such as sourceManageHandler, asyncTaskCancelHandler, pluginHandler, etc.
The SQL injection can happen in the code:
https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L89-L93
The code to accept user input is:
https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/server/rest.go#L274-L277
The rule id in the above code can be used to exploit SQL query.
Note th
OSV
CVE-2024-43406: LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices
osv·2024-08-20
CVE-2024-43406 CVE-2024-43406: LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices
LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2.
OSV
LF Edge eKuiper has a SQL Injection in sqlKvStore
osv·2024-08-20
CVE-2024-43406 [HIGH] LF Edge eKuiper has a SQL Injection in sqlKvStore
LF Edge eKuiper has a SQL Injection in sqlKvStore
### Summary
A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore.
### Details
I will use explainRuleHandler ("/rules/{name}/explain") as an example to illustrate. However, this vulnerability also exists in other methods such as sourceManageHandler, asyncTaskCancelHandler, pluginHandler, etc.
The SQL injection can happen in the code:
https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L89-L93
The code to accept user input is:
https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/server/rest.go#L274-L277
The rule id in the above code can be used to exploit SQL query.
Note th
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-08-20
Published