WeKnora SQL Injection Vulnerability in Database Query Tool
Vulnerability
A SQL injection vulnerability has been identified in WeKnora versions prior to 0.2.5. After the Agent service is enabled, users can invoke the database query tool. The vulnerability arises from inadequate backend validation, allowing attackers to use prompt-based techniques to bypass query restrictions and access sensitive information from the server and database. This issue has been addressed in version 0.2.5.
Impact
Exploitation of this vulnerability allows attackers to execute arbitrary SQL commands, bypassing query restrictions and potentially accessing or manipulating sensitive data in the database. The vulnerability could also be exploited to execute PostgreSQL's built-in dangerous functions, according to the advisory.
Reproduction
To reproduce this vulnerability, enable the WeKnora Agent service and use the database query tool. Inject a SQL query that exploits the lack of validation, such as one that includes a PostgreSQL built-in function or bypasses query restrictions using comments.
Remediation
Users are advised to update WeKnora to version 0.2.5 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.