Fleet SQL Injection Vulnerability in Versions Prior to 4.80.1

A SQL injection vulnerability has been identified in Fleet device management software, specifically in versions prior to 4.80.1. This vulnerability allows authenticated users to inject arbitrary SQL expressions through the 'order_key' query parameter. The issue arises from the improper use of 'goqu.I()' when building the 'ORDER BY' clause, which enables crafted input to escape identifier quoting and be executed as SQL. An authenticated attacker with access to the affected endpoint could exploit this to manipulate the underlying MySQL query. While the injection occurs in an 'ORDER BY' context, it can be leveraged for blind SQL injection, potentially disclosing database information by using conditional expressions that influence result ordering. Additionally, such crafted expressions might lead to excessive query processing, failures, or degraded performance, causing a denial-of-service condition.

Impact

Exploitation of this vulnerability allows for SQL injection in a blind context, enabling attackers to extract database information by manipulating query result ordering. The injected SQL could also cause excessive database load or query failures, leading to performance degradation or denial-of-service conditions.

Remediation

Users are advised to upgrade to Fleet version 4.80.1 or later. If an immediate upgrade is not possible, access to the affected endpoint should be restricted to trusted roles only, and any user-supplied sort or column parameters should be strictly allow-listed at the application or proxy layer.