Corteza SQL Injection Vulnerability in Microsoft SQL Server Backend

A SQL injection vulnerability has been identified in Corteza version 2024.9.8, specifically within its Microsoft SQL Server (MSSQL) backend. The issue arises when filtering Compose records by the 'meta' field. The vulnerability is rooted in improper string escaping of single quotes in T-SQL, allowing injection into SQL queries. This exploitation can be carried out by any authenticated user with 'records.search' permission on a module that includes a 'meta' attribute.

Impact

Exploitation of this vulnerability allows for blind-based SQL injection, where an attacker can manipulate SQL queries and potentially extract or modify database information.

Reproduction

To reproduce this vulnerability, an authenticated user with 'records.search' permission on a Corteza module with a 'meta' attribute must send a request to the Compose record list endpoint. The 'meta' parameter should be formatted as a JSON object, including a key that contains a single quote. The injected SQL can be verified by observing the response for an SQL error message indicating that the query was altered by the injection.