CocoIndex SQL Injection Vulnerability in Doris Target Connector
Vulnerability
A SQL injection vulnerability has been identified in the CocoIndex data transformation framework for AI, specifically within the Doris target connector versions prior to 0.3.34. The issue arises because the connector did not validate the table name before generating certain SQL statements, such as 'ALTER TABLE'. As a result, if an untrusted source provided the table name, it could lead to SQL injection vulnerabilities during schema changes. This flaw has been addressed in version 0.3.34.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries executed by the application. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Remediation
Users are advised to update to CocoIndex version 0.3.34 or later, where this vulnerability has been patched. Additionally, ensure that table names used with the Doris target are valid and sourced from trusted origins. If table names must be obtained from untrusted sources, they should be validated before use.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.