{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/dgraph/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Dgraph"],"_cs_severities":["critical"],"_cs_tags":["dgraph","dql-injection","injection","database-exfiltration"],"_cs_type":"advisory","_cs_vendors":["Dgraph"],"content_html":"\u003cp\u003eA critical vulnerability exists in Dgraph, a graph database, allowing unauthenticated attackers to perform full database exfiltration. This flaw resides within the \u003ccode\u003e/mutate\u003c/code\u003e endpoint, specifically when Access Control Lists (ACL) are disabled, which is the default configuration. By injecting malicious DQL queries via a crafted \u003ccode\u003econd\u003c/code\u003e field in an upsert mutation, attackers can bypass authorization checks and extract sensitive data, including user credentials and secrets. The vulnerability stems from the lack of proper sanitization of the \u003ccode\u003econd\u003c/code\u003e field, leading to direct concatenation into the DQL query string. This vulnerability was found in v25.3.0, but may exist in other versions as well.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to the \u003ccode\u003e/mutate?commitNow=true\u003c/code\u003e endpoint without any authentication headers (e.g., \u003ccode\u003eX-Dgraph-AccessToken\u003c/code\u003e, \u003ccode\u003eX-Dgraph-AuthToken\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emutationHandler\u003c/code\u003e in \u003ccode\u003ehttp.go\u003c/code\u003e extracts the request body and processes the \u003ccode\u003emutations\u003c/code\u003e array, including the \u003ccode\u003econd\u003c/code\u003e field, using \u003ccode\u003estrconv.Unquote\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request proceeds to \u003ccode\u003eedgraph.Server.QueryNoGrpc\u003c/code\u003e, where the \u003ccode\u003eCond\u003c/code\u003e value is copied verbatim to \u003ccode\u003edql.Mutation.Cond\u003c/code\u003e in \u003ccode\u003eserver.go\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ebuildUpsertQuery\u003c/code\u003e function in \u003ccode\u003eserver.go\u003c/code\u003e performs a simple string replacement (\u003ccode\u003e@if\u003c/code\u003e to \u003ccode\u003e@filter\u003c/code\u003e) but otherwise concatenates the unsanitized \u003ccode\u003eCond\u003c/code\u003e value into the DQL query.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edql.ParseWithNeedVars\u003c/code\u003e parser processes the constructed DQL string, accepting the injected query blocks as valid DQL.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eauthorizeQuery\u003c/code\u003e function in \u003ccode\u003eaccess.go\u003c/code\u003e returns \u003ccode\u003enil\u003c/code\u003e immediately because ACL is disabled (\u003ccode\u003eAclSecretKey == nil\u003c/code\u003e), bypassing authorization checks.\u003c/li\u003e\n\u003cli\u003eThe injected query block executes, traversing and extracting data from the database.\u003c/li\u003e\n\u003cli\u003eThe response, containing the exfiltrated data, is returned to the attacker via \u003ccode\u003ehttp.go\u003c/code\u003e, effectively granting unauthorized access to sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in complete database exfiltration. Attackers can retrieve all nodes, predicates, and values within the Dgraph database, including sensitive data such as user credentials, API keys, and Personally Identifiable Information (PII). Given the default configuration of Dgraph lacking ACL enabled, this poses a significant risk to organizations relying on Dgraph for data storage. The injection can also manipulate upsert conditions, bypassing uniqueness constraints and conditional mutation logic.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable ACL on all Dgraph instances and configure appropriate access controls to mitigate unauthorized data access.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Dgraph DQL Injection in Mutation Endpoint\u003c/code\u003e to identify potentially malicious requests to the \u003ccode\u003e/mutate\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eSanitize and validate user-supplied input, especially the \u003ccode\u003econd\u003c/code\u003e field in mutation requests, to prevent DQL injection attacks.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic to detect suspicious POST requests to the \u003ccode\u003e/mutate\u003c/code\u003e endpoint with unusual or unexpected \u003ccode\u003econd\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eReview and restrict network access to the Dgraph instance, limiting access only to authorized clients and networks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T12:00:00Z","date_published":"2024-10-26T12:00:00Z","id":"/briefs/2024-10-dgraph-dql-injection/","summary":"A pre-authentication DQL injection vulnerability in Dgraph's `/mutate` endpoint, when ACL is disabled, allows attackers to exfiltrate the entire database by crafting a malicious `cond` field in an upsert mutation.","title":"Dgraph Pre-Auth DQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-10-dgraph-dql-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Dgraph"],"_cs_severities":["critical"],"_cs_tags":["dgraph","authentication-bypass","admin-token-disclosure"],"_cs_type":"advisory","_cs_vendors":["Dgraph"],"content_html":"\u003cp\u003eDgraph, a graph database, exposes sensitive information through an unauthenticated endpoint, \u003ccode\u003e/debug/vars\u003c/code\u003e, in versions prior to 25.3.3. The vulnerability arises because the admin token is often passed as a command-line argument using the \u003ccode\u003e--security \u0026quot;token=...\u0026quot;\u003c/code\u003e flag. This argument is exposed through the \u003ccode\u003e/debug/vars\u003c/code\u003e endpoint, which is enabled by default via Go\u0026rsquo;s \u003ccode\u003eexpvar\u003c/code\u003e package. An attacker can retrieve this token without authentication and then use it to gain administrative privileges by including it in the \u003ccode\u003eX-Dgraph-AuthToken\u003c/code\u003e header of subsequent requests. This is a bypass of previous attempts to mitigate similar issues via \u003ccode\u003e/debug/pprof/cmdline\u003c/code\u003e, which were addressed incompletely. This issue impacts deployments where the Alpha HTTP port is reachable by untrusted parties, allowing for a full authentication bypass.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends an unauthenticated GET request to the \u003ccode\u003e/debug/vars\u003c/code\u003e endpoint on the Dgraph Alpha server (e.g., \u003ccode\u003eGET /debug/vars HTTP/1.1\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server responds with a JSON payload containing the \u003ccode\u003ecmdline\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the JSON response and extracts the value of the \u003ccode\u003ecmdline\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe attacker searches the \u003ccode\u003ecmdline\u003c/code\u003e output for the \u003ccode\u003e--security token=...\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the admin token from the \u003ccode\u003e--security\u003c/code\u003e argument string.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to an admin-only endpoint (e.g., \u003ccode\u003eGET /admin/config/cache_mb HTTP/1.1\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker includes the extracted admin token in the \u003ccode\u003eX-Dgraph-AuthToken\u003c/code\u003e header of the request.\u003c/li\u003e\n\u003cli\u003eThe Dgraph Alpha server validates the token, granting the attacker administrative access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to gain complete administrative control over the Dgraph database. This includes the ability to read and modify admin configurations, and perform operational control actions. In deployments where the Alpha HTTP port is publicly accessible, this vulnerability poses a significant risk, leading to potential data breaches, service disruption, and unauthorized manipulation of the database. While the number of affected deployments is not explicitly stated, any Dgraph instance running a vulnerable version with an exposed Alpha HTTP port is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Dgraph to version 25.3.3 or later to address the vulnerability.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, restrict access to the Alpha HTTP port to trusted networks only.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect unauthorized access attempts to the \u003ccode\u003e/admin/config/cache_mb\u003c/code\u003e endpoint using the \u003ccode\u003eX-Dgraph-AuthToken\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect access to \u003ccode\u003e/debug/vars\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T12:00:00Z","date_published":"2024-05-02T12:00:00Z","id":"/briefs/2024-05-dgraph-auth-bypass/","summary":"Dgraph versions prior to 25.3.3 expose the admin token via the `/debug/vars` endpoint, allowing unauthenticated attackers to bypass authentication and gain administrative access.","title":"Dgraph Unauthenticated Admin Token Disclosure via /debug/vars","url":"https://feed.craftedsignal.io/briefs/2024-05-dgraph-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Dgraph"],"_cs_severities":["critical"],"_cs_tags":["dgraph","dql-injection","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Dgraph"],"content_html":"\u003cp\u003eA critical vulnerability in Dgraph, specifically within the \u003ccode\u003eaddQueryIfUnique\u003c/code\u003e function, enables unauthenticated attackers to perform full database exfiltration. This affects default configurations where Access Control Lists (ACLs) are disabled. The attack involves sending crafted HTTP POST requests to the \u003ccode\u003e/alter\u003c/code\u003e and \u003ccode\u003e/mutate\u003c/code\u003e endpoints on port 8080. The vulnerability stems from the lack of sanitization of the \u003ccode\u003eLang\u003c/code\u003e field in JSON mutations, which allows for DQL injection. By exploiting the \u003ccode\u003ex.PredicateLang()\u003c/code\u003e function, which splits predicate names on \u003ccode\u003e@\u003c/code\u003e, attackers can inject malicious code into the language tag. This injected code allows attackers to execute arbitrary DQL queries, bypassing authentication mechanisms and extracting sensitive data from the database. This vulnerability was tested on Dgraph version v25.3.0, posing a significant risk to organizations using Dgraph with default settings.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to the \u003ccode\u003e/alter\u003c/code\u003e endpoint to create a schema predicate with \u003ccode\u003e@unique @index(exact) @lang\u003c/code\u003e. No authentication is required in the default Dgraph configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a JSON mutation containing a malicious payload. The key in the JSON mutation includes the predicate name followed by \u003ccode\u003e@\u003c/code\u003e and the DQL injection payload in the language tag position, such as \u003ccode\u003ename@en,\u0026quot;x\u0026quot;)) leak(func: has(dgraph.type)) { uid dgraph.type name email secret aws_access_key_id aws_secret_access_key } } #\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted JSON mutation via an HTTP POST request to the \u003ccode\u003e/mutate?commitNow=true\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emutationHandler\u003c/code\u003e parses the JSON body and identifies the malicious predicate and language tag.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ex.PredicateLang\u003c/code\u003e function splits the key on the last \u003ccode\u003e@\u003c/code\u003e, separating the predicate and the injection payload.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eaddQueryIfUnique\u003c/code\u003e function constructs a DQL query string by interpolating the raw language tag from the mutation into the query via \u003ccode\u003efmt.Sprintf\u003c/code\u003e without any sanitization.\u003c/li\u003e\n\u003cli\u003eThe constructed DQL is parsed, and the injected query is executed, bypassing authentication checks due to \u003ccode\u003eAclSecretKey == nil\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe results of the injected query, containing the entire database content, are returned to the attacker in the HTTP response.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to exfiltrate the entire Dgraph database, including all nodes, predicates, and values. This could lead to severe data breaches, exposure of sensitive information, and potential compromise of user credentials, API keys, or other confidential data stored within the database. The vulnerability affects Dgraph instances using the default configuration without ACL enabled, which poses a high risk to a wide range of deployments across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect DQL injection attempts by monitoring for unusual characters and patterns in the \u003ccode\u003epredicateName\u003c/code\u003e field (within application logs or network traffic capturing HTTP POST requests) to the \u003ccode\u003e/mutate\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eEnable ACL in Dgraph to require authentication for \u003ccode\u003e/alter\u003c/code\u003e and \u003ccode\u003e/mutate\u003c/code\u003e endpoints, mitigating the pre-authentication aspect of the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for the \u003ccode\u003eLang\u003c/code\u003e field in JSON mutations to prevent DQL injection, focusing on the \u003ccode\u003ex.PredicateLang\u003c/code\u003e function and \u003ccode\u003eaddQueryIfUnique\u003c/code\u003e function within \u003ccode\u003eedgraph/server.go\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-dgraph-dql-injection/","summary":"A pre-authentication DQL injection vulnerability in Dgraph's default configuration allows attackers to exfiltrate the entire database by crafting malicious JSON mutations to the `/mutate` endpoint, exploiting unsanitized language tags in predicates.","title":"Dgraph Pre-Auth Full Database Exfiltration via DQL Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-dgraph-dql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Dgraph","version":"https://jsonfeed.org/version/1.1"}