ByteDance Coze-Studio SQL Injection Vulnerability in Database Tool Component

A critical SQL injection vulnerability has been identified in ByteDance Coze-Studio versions through 0.5.1. The issue resides in the 'ExecuteSQL' function within the 'databaseTool' component, specifically in the file 'backend/domain/memory/database/service/database_impl.go'. This vulnerability allows an unauthenticated or underprivileged user to execute arbitrary SQL queries by bypassing input validation mechanisms. The exploitation can be performed remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized execution of SQL queries, leading to extraction of sensitive database information, including authentication hashes and cross-tenant data. The vulnerability also disrupts tenant isolation, with potential for remote code execution if certain SQL functions are leveraged.

Reproduction

To reproduce this vulnerability, send a request to the Coze Studio Chat API v3 endpoint, using an active 'ACCESS_TOKEN' and 'BOT_ID'. The request should include a payload that prompts the database tool to execute a crafted SQL query. This query must be formatted to exploit the SQL validation bypass by using MySQL backticks to evade uppercase substring checks and parentheses to disrupt regex extraction of table names.