Skip to content

rudder-server is vulnerable to SQL injection

High severity GitHub Reviewed Published Aug 5, 2024 to the GitHub Advisory Database • Updated Aug 5, 2024

Package

gomod github.com/rudderlabs/rudder-server (Go)

Affected versions

< 1.3.0-rc.1

Patched versions

1.3.0-rc.1

Description

rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution (RCE) due to the rudder role in PostgresSQL having superuser permissions by default. Version 1.3.0-rc.1 contains patches for this issue.

References

Published by the National Vulnerability Database Jun 16, 2023
Published to the GitHub Advisory Database Aug 5, 2024
Reviewed Aug 5, 2024
Last updated Aug 5, 2024

Severity

High

EPSS score

95.424%
(99th percentile)

Weaknesses

CVE ID

CVE-2023-30625

GHSA ID

GHSA-3jmm-f6jj-rcc3
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.