Daptin SQL Injection Vulnerability in Aggregate API Endpoint

A SQL injection vulnerability has been identified in Daptin, a headless CMS that uses GraphQL and JSON-API. This issue affects versions prior to 0.11.4. The vulnerability arises in the '/aggregate/:typename' endpoint, where the 'column' and 'group' query parameters are accepted without validation. These parameters are passed directly to 'goqu.L()', a raw SQL literal expression builder, allowing authenticated users to inject arbitrary SQL expressions. Exploitation of this vulnerability could lead to unauthorized data access or disclosure of database information.

Impact

Exploitation of this vulnerability allows authenticated users to inject arbitrary SQL expressions, bypassing parameterization and leading to SQL injection. This could be exploited to extract data from any table, disclose database internals, or exfiltrate cross-table data via correlated subqueries.

Reproduction

To reproduce this vulnerability, send a request to the '/aggregate/:typename' endpoint with crafted 'column' or 'group' query parameters. The injected SQL expressions will be executed without validation, allowing for data extraction or manipulation.

Remediation

Users are advised to update Daptin to version 0.11.4, where this vulnerability has been patched. No configuration changes are required after the update.