Rucio

A SQL injection vulnerability exists in the Oracle path of `FilterEngine.create_sqla_query` in Rucio, allowing any authenticated user to execute arbitrary SQL against the backend database via the DID search endpoint, potentially leading to full database compromise and data exfiltration.

A SQL injection vulnerability exists in Rucio's FilterEngine.create_postgres_query, affecting versions 1.30.0 to before 35.8.5, 36.0.0 to before 38.5.5, 39.0.0 to before 39.4.2, and 40.0.0 to before 40.1.1, allowing any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database via the DID search endpoint when the postgres_meta plugin is enabled, potentially leading to data modification, remote code execution, and credential theft.