Fleet SQL Injection Vulnerability in MDM Bootstrap Package Configuration

A SQL injection vulnerability has been identified in Fleet's open-source device management software, prior to version 4.81.0. This vulnerability exists within the MDM bootstrap package configuration, allowing an authenticated user with Team Admin or Global Admin privileges to manipulate team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configurations through direct API calls. The issue arises from inadequate server-side input validation, which permits crafted input to disrupt database queries in unintended ways. Exploitation could lead to cross-team data corruption, unauthorized access to sensitive information such as password hashes and API tokens, and potential privilege escalation. Notably, this vulnerability does not affect instances where Apple MDM is disabled.

Impact

Exploitation of this vulnerability could result in unauthorized modification of team configurations, exfiltration of sensitive data from the Fleet database, cross-team data corruption, and potential privilege escalation.

Remediation

Users are advised to upgrade to Fleet version 4.81.0 or later. If an immediate upgrade is not possible, Apple MDM can be temporarily disabled or admin roles can be limited.