Ory Kratos SQL Injection Vulnerability in ListCourierMessages Admin API
Vulnerability
A SQL injection vulnerability has been identified in the ListCourierMessages Admin API of Ory Kratos, prior to version 26.2.0. The issue arises from flaws in the pagination implementation, where pagination tokens can be crafted to include malicious payloads leading to SQL injection. This vulnerability exists when the 'secrets.pagination' configuration is not set, allowing attackers to exploit a default, publicly known secret. Even when 'secrets.pagination' is configured, the vulnerability can be exploited if the attacker knows the secret and can pass a raw pagination token to the API.
Impact
Exploitation allows for arbitrary SQL query execution through forged pagination tokens.
Remediation
Users are advised to configure a custom value for 'secrets.pagination' by generating a cryptographically secure random secret, such as one created with OpenSSL. After updating the pagination secret, Ory Kratos should be upgraded to version 26.2.0 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.