Ory Keto SQL Injection Vulnerability in GetRelationships API Pagination
Vulnerability
A SQL injection vulnerability has been identified in the GetRelationships API of Ory Keto, an open-source authorization server, prior to version 26.2.0. The issue arises from flaws in the API's pagination implementation, which allows attackers to craft malicious pagination tokens that exploit the SQL query execution process. This vulnerability exists when the pagination secret is not properly configured, leaving installations open to exploitation.
Impact
Exploitation of this vulnerability allows for arbitrary SQL query execution through forged pagination tokens, potentially leading to unauthorized data access or manipulation.
Remediation
Users are advised to immediately configure a custom value for the 'secrets.pagination' setting by generating a cryptographically secure random secret. Following this, upgrade Ory Keto to version 26.2.0 or later as soon as possible.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.