Kestra SQL Injection Vulnerability Leading to Remote Code Execution

A SQL injection vulnerability has been identified in Kestra versions through 1.3.3. This vulnerability allows authenticated users to inject arbitrary SQL expressions into database queries via unvalidated input from a GET parameter. The flaw arises because user-controlled data is directly appended to SQL queries without adequate sanitization or parameterization. Exploitation of this vulnerability can lead to remote code execution, as the injected SQL is executed by PostgreSQL using the 'COPY ... TO PROGRAM ...' command, which can run arbitrary operating system commands on the host.

Impact

Exploitation of this vulnerability allows for SQL injection that can be escalated to remote code execution, particularly in environments using PostgreSQL as the database.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the '/api/v1/main/flows/search' endpoint. Inject a payload that exploits the SQL injection vulnerability by breaking out of the JSONB containment expression and executing a stacked query using the 'COPY ... TO PROGRAM ...' command. This can be done by crafting a URL that includes the malicious payload in the 'filters[labels][EQUALS]' parameter. If the payload is successful, it will execute a command on the host and write the output to a file, which can be verified by checking the file's contents.

Remediation

Users can update to Kestra version 1.3.7 or later, or version 1.0.35, where this vulnerability has been patched.