Nixpkgs security tracker
9.9 CRITICAL
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Changed (C)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse accepted
- @LeSuisse published on GitHub
Kestra: Remote Code Execution via SQL Injection
Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated, simply visiting a crafted link is enough to trigger the vulnerability. The injected payload is executed by PostgreSQL using COPY ... TO PROGRAM ..., which in turn runs arbitrary OS commands on the host. This issue has been patched in version 1.3.7.
References
-
https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x x_refsource_CONFIRM
-
https://github.com/kestra-io/kestra/releases/tag/v1.3.7 x_refsource_MISC
Affected products
- ==< 1.3.7
Matching in nixpkgs
pkgs.python312Packages.kestra
None
pkgs.python313Packages.kestra
Infinitely scalable orchestration and scheduling platform, creating, running, scheduling, and monitoring millions of complex pipelines
pkgs.python314Packages.kestra
Infinitely scalable orchestration and scheduling platform, creating, running, scheduling, and monitoring millions of complex pipelines
Package maintainers
-
@DataHearth DataHearth <dev@antoine-langlois.net>