Rucio SQL Injection Vulnerability in PostgreSQL Metadata Plugin

A SQL injection vulnerability has been identified in Rucio versions 1.30.0 and later, prior to 35.8.5, 38.5.5, 39.4.2, and 40.1.1. The vulnerability exists in the 'FilterEngine.create_postgres_query()' function, allowing authenticated Rucio users to execute arbitrary SQL against the PostgreSQL metadata database. This exploitation occurs through the DID search endpoint ('GET /dids/<scope>/dids/search') when the 'postgres_meta' metadata plugin is active. Attacker-controlled filter keys and values are directly interpolated into SQL strings using Python's string format method, then processed by 'psycopg3' in a way that treats them as trusted SQL. Depending on the database privileges of the service account, this vulnerability could lead to unauthorized access to sensitive tables, modification or deletion of metadata, access to server-side files, or even code execution via PostgreSQL features like 'COPY ... FROM PROGRAM'.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, with potential impacts including unauthorized data access, data modification, and remote code execution, particularly if the database user has elevated privileges.

Remediation

Users can upgrade to Rucio versions 35.8.5, 38.5.5, 39.4.2, or 40.1.1 to address this vulnerability.