Kestra SQL Injection Vulnerability Leading to Remote Code Execution
Vulnerability
A SQL injection vulnerability has been identified in Kestra, an open-source orchestration platform, prior to version 1.3.7. This vulnerability is present in the default docker-compose deployment and affects the endpoint 'GET /api/v1/main/flows/search'. Once authenticated, a user can trigger the vulnerability by visiting a crafted link. The injected SQL payload is executed by PostgreSQL using 'COPY ... TO PROGRAM ...', allowing the execution of arbitrary operating system commands on the host.
Impact
Exploitation of this vulnerability allows for remote code execution on the host machine.
Reproduction
To reproduce this vulnerability, log into the Kestra application and navigate to the 'GET /api/v1/main/flows/search' endpoint. Inject a SQL payload that exploits the application's SQL injection vulnerability by manipulating the 'filters[labels][EQUALS]' parameter. The injected SQL will be executed by PostgreSQL, using the 'COPY ... TO PROGRAM ...' command to run arbitrary OS commands on the host.
Remediation
Users can upgrade to Kestra version 1.3.7 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.