Nixpkgs security tracker
10.0 CRITICAL
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): CHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
by @LeSuisse Activity log
- Created automatic suggestion
- @LeSuisse accepted
- @LeSuisse published on GitHub
Kestra: Remote Code Execution via SQL Injection
Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated, simply visiting a crafted link is enough to trigger the vulnerability. The injected payload is executed by PostgreSQL using COPY ... TO PROGRAM ..., which in turn runs arbitrary OS commands on the host. This issue has been patched in version 1.3.7.
References
-
https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x x_refsource_CONFIRM
-
https://github.com/kestra-io/kestra/releases/tag/v1.3.7 x_refsource_MISC
Affected products
- ==< 1.3.7
Matching in nixpkgs
pkgs.python312Packages.kestra
Infinitely scalable orchestration and scheduling platform, creating, running, scheduling, and monitoring millions of complex pipelines
pkgs.python313Packages.kestra
Infinitely scalable orchestration and scheduling platform, creating, running, scheduling, and monitoring millions of complex pipelines
pkgs.python314Packages.kestra
Infinitely scalable orchestration and scheduling platform, creating, running, scheduling, and monitoring millions of complex pipelines
Package maintainers
-
@DataHearth DataHearth <dev@antoine-langlois.net>