Jellystat SQL Injection Vulnerability Leading to Remote Code Execution

A critical SQL injection vulnerability has been identified in Jellystat, a statistics application for Jellyfin, in versions prior to 1.1.10. The vulnerability exists in multiple API endpoints that construct SQL queries by directly inserting unsanitized request-body data into raw SQL strings. This flaw allows an authenticated user to inject arbitrary SQL through the 'POST /api/getUserDetails' and 'POST /api/getLibrary' endpoints. Exploitation of this vulnerability could lead to unauthorized access to sensitive data, including admin credentials and API keys, and could be escalated to arbitrary command execution on the PostgreSQL host.

Impact

Successful exploitation allows for full read access to any database table, including sensitive information such as admin credentials and API keys. The vulnerability can be escalated to remote code execution on the PostgreSQL host, with the injected command executed as the 'postgres' OS user.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to either the '/api/getUserDetails' or '/api/getLibrary' endpoint with a payload that includes a crafted SQL injection. The injection exploits the lack of input validation and parameterization in the SQL query handling, allowing the attacker to manipulate the SQL query execution. After injecting SQL that reads sensitive data, the same injection technique can be used to execute arbitrary commands on the PostgreSQL host, taking advantage of the 'COPY ... TO PROGRAM' functionality.

Remediation

Users are advised to update to Jellystat version 1.1.10, where this vulnerability has been fixed. Additionally, review and update the database role privileges in the 'docker-compose.yml' file to prevent the 'COPY ... TO PROGRAM' execution.