Erupt SQL Injection Vulnerability in ORDER BY Clause

A SQL injection vulnerability has been identified in Erupt versions through 1.13.3. The issue arises in the 'geneEruptHqlOrderBy' function within 'EruptJpaUtils.java', where the 'sort.field' parameter is improperly validated before being concatenated into the Hibernate Query Language (HQL) ORDER BY clause. This flaw allows authenticated attackers to inject arbitrary HQL expressions, potentially leading to cross-table data exfiltration using boolean-based blind injection techniques. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for HQL injection, where an attacker can manipulate the ORDER BY clause to execute arbitrary HQL commands. This could be used to exfiltrate data from other tables through blind injection methods.

Reproduction

To reproduce this vulnerability, send a request to the '/erupt-api/data/table/{erupt}' endpoint with a crafted 'sort.field' parameter. The injected HQL will be executed in the context of the database query, allowing for manipulation of the data retrieval process.