Rucio SQL Injection Vulnerability in Filter Engine Oracle JSON Path via DID Search API

A SQL injection vulnerability has been identified in the Rucio data management system, specifically within the FilterEngine component's create_sqla_query method. This vulnerability affects Oracle deployments of Rucio versions 1.27.0 and later, prior to 35.8.5, 38.5.5, 39.4.2, and 40.1.1. The issue arises because attacker-controlled filter keys and values are directly interpolated into SQL queries without proper parameterization, allowing authenticated users to execute arbitrary SQL against the backend database through the DID search endpoint. Exploitation of this vulnerability could lead to full database compromise, including the extraction of sensitive information such as authentication tokens, password hashes, and managed data identifiers.

Impact

Exploitation of this vulnerability allows for full read access to the database, including sensitive tables such as identities, tokens, accounts, rse_settings, and rules. It also enables modification of database contents and, potentially, remote code execution on the database server under certain conditions.

Remediation

Users can upgrade to Rucio versions 35.8.5, 38.5.5, 39.4.2, or 40.1.1 to address this vulnerability.