Vulnerability Summary
Pre-authenticated Remote Code Execution on POST /api/v1/projects via a stacked SQL injection in the JSON field tableName (interpolated by String.format into the FROM clause), abusing PgJDBC's multi-statement handling and a PostgreSQL superuser role to invoke COPY ... TO PROGRAM and run arbitrary OS commands as the postgres user.
Reported in collaboration with tonysec.
A vulnerability was identified where an unauthenticated user could achieve Remote Code Execution on the application server by injecting a stacked SQL payload into a JSON field of a project-creation endpoint. The injected payload reached a backend role with PostgreSQL superuser privileges and abused the COPY ... TO PROGRAM feature to spawn arbitrary OS commands as the postgres user on the production host.
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In