Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SigNoz 0.130.1 - SQL Injection in Alert History Endpoints via Rule ID Parameter
Vulnerability Description
SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of the alert-history endpoints. Attackers can manipulate the unsanitized rule ID interpolated into ClickHouse queries to read all stored traces, logs, and metrics, or abuse the url() function to perform server-side request forgery.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Vulnerability Title
SigNoz SQL注入漏洞
Vulnerability Description
SigNoz SigNoz是SigNoz团队的一款开源应用性能监控工具。 SigNoz 0.130.1及之前版本存在SQL注入漏洞,该漏洞源于alert-history端点rule ID路径参数中存在SQL注入问题,允许已认证攻击者执行任意ClickHouse查询,读取所有存储的跟踪、日志和指标,或利用url()函数进行服务端请求伪造。
CVSS Information
N/A
Vulnerability Type
N/A