CVE-2023-30625: rudder-server vulnerable to SQL Injection

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-30625

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

rudder-server vulnerable to SQL Injection

Source: NVD (National Vulnerability Database)

Vulnerability Description

rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution (RCE) due to the `rudder` role in PostgresSQL having superuser permissions by default. Version 1.3.0-rc.1 contains patches for this issue.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

SQL命令中使用的特殊元素转义处理不恰当(SQL注入)

Source: NVD (National Vulnerability Database)

Vulnerability Title

rudder-server SQL注入漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

rudder-server是RudderStack开源的一个专注于隐私和安全的细分市场替代方案。 rudder-server 1.3.0-rc.1之前版本存在SQL注入漏洞，该漏洞源于PostgresSQL中的rudder角色默认具有超级用户权限，会导致远程代码执行 (RCE)。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
rudderlabs	rudder-server	< 1.3.0-rc.1	-

II. Public POCs for CVE-2023-30625

#	POC Description	Source Link	Shenlong Link
1	Rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution (RCE) due to the `rudder` role in PostgresSQL having superuser permissions by default. Version 1.3.0-rc.1 contains patches for this issue.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-30625.yaml	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-30625

Please Login to view more intelligence information

http://packetstormsecurity.com/files/173837/Rudder-Server-SQL-Injection-Remote-Code-Execution.html
https://github.com/rudderlabs/rudder-server/pull/2652x_refsource_MISC
https://github.com/rudderlabs/rudder-server/pull/2664x_refsource_MISC
https://github.com/rudderlabs/rudder-server/pull/2663x_refsource_MISC
https://securitylab.github.com/advisories/GHSL-2022-097_rudder-server/x_refsource_CONFIRM
https://github.com/rudderlabs/rudder-server/commit/0d061ff2d8c16845179d215bf8012afceba12a30x_refsource_MISC
https://github.com/rudderlabs/rudder-server/commit/9c009d9775abc99e72fc470f4c4c8e8f1775e82ax_refsource_MISC
https://github.com/rudderlabs/rudder-server/commit/2f956b7eb3d5eb2de3e79d7df2c87405af25071ex_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2023-30625

IV. Related Vulnerabilities

Same weakness: CWE-89

V. Comments for CVE-2023-30625

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2023-30625

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-30625

III. Intelligence Information for CVE-2023-30625

IV. Related Vulnerabilities

V. Comments for CVE-2023-30625

Leave a comment