rudder-server is vulnerable to SQL injection
Critical severity
GitHub Reviewed
Published
Aug 5, 2024
to the GitHub Advisory Database
•
Updated Nov 18, 2024
Package
Affected versions
< 1.3.0-rc.1
Patched versions
1.3.0-rc.1
Description
Published by the National Vulnerability Database
Jun 16, 2023
Published to the GitHub Advisory Database
Aug 5, 2024
Reviewed
Aug 5, 2024
Last updated
Nov 18, 2024
rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution (RCE) due to the
rudder
role in PostgresSQL having superuser permissions by default. Version 1.3.0-rc.1 contains patches for this issue.References