CVE-2024-43406

LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503	Patch
https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lfedge:ekuiper:*:*:*:*:*:*:*:*

History

26 Aug 2024, 18:30

Type	Values Removed	Values Added
References	~~() https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503 -~~	() https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503 - Patch
References	~~() https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p -~~	() https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p - Exploit, Vendor Advisory
First Time		Lfedge Lfedge ekuiper
CPE		cpe:2.3:a:lfedge:ekuiper::::::::

20 Aug 2024, 15:44

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-20 15:15

Updated : 2024-08-26 18:30

NVD link : CVE-2024-43406

Mitre link : CVE-2024-43406

CVE.ORG link : CVE-2024-43406

JSON object : View

Products Affected

lfedge

ekuiper

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2024-43406", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-08-20T15:15:24.070", "references": [{"url": "https://github.com/lf-edge/ekuiper/commit/1a9c745649438feaac357d282959687012b65503", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-r5ph-4jxm-6j9p", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore. This vulnerability is fixed in 1.14.2."}, {"lang": "es", "value": "LF Edge eKuiper es un motor liviano de procesamiento de flujo y an\u00e1lisis de datos de IoT que se ejecuta en dispositivos de borde con limitaciones de recursos. Un usuario podr\u00eda utilizar y explotar la inyecci\u00f3n SQL para permitir la ejecuci\u00f3n de consultas SQL maliciosas a trav\u00e9s del m\u00e9todo Get en sqlKvStore. Esta vulnerabilidad se solucion\u00f3 en 1.14.2."}], "lastModified": "2024-08-26T18:30:13.230", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lfedge:ekuiper:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0E4A9711-7542-4CDD-8D79-616941875FB3", "versionEndExcluding": "1.14.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}