{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/rucio/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["rucio"],"_cs_severities":["critical"],"_cs_tags":["sql-injection","cve-2026-29090","rucio"],"_cs_type":"advisory","_cs_vendors":["Rucio"],"content_html":"\u003cp\u003eA SQL injection vulnerability has been identified in Rucio, a scientific data management framework, specifically within the \u003ccode\u003eFilterEngine.create_postgres_query\u003c/code\u003e function. This flaw allows any authenticated Rucio user to inject arbitrary SQL commands into the PostgreSQL metadata database if the \u003ccode\u003epostgres_meta\u003c/code\u003e external metadata plugin is configured. The vulnerability is located in the DID search endpoint (\u003ccode\u003eGET /dids/\u0026lt;scope\u0026gt;/dids/search\u003c/code\u003e). The vulnerable code interpolates attacker-controlled filter keys and values directly into raw SQL statements via Python \u003ccode\u003estr.format\u003c/code\u003e, without proper sanitization. This issue affects Rucio versions 1.30.0 to before 35.8.5, 36.0.0 to before 38.5.5, 39.0.0 to before 39.4.2, and 40.0.0 to before 40.1.1. Exploitation can lead to full database compromise, including sensitive data exfiltration, data modification, and even potential remote code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Rucio instance using any supported method (userpass, x509, OIDC, SAML, SSH, GSS).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the DID search endpoint (\u003ccode\u003eGET /dids/\u0026lt;scope\u0026gt;/dids/search\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe crafted request includes specially formatted filter keys and values designed to inject SQL code.\u003c/li\u003e\n\u003cli\u003eRucio\u0026rsquo;s \u003ccode\u003eFilterEngine.create_postgres_query\u003c/code\u003e function processes the request and directly interpolates the attacker-controlled values into a raw SQL query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the PostgreSQL metadata database.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as reading sensitive data (password hashes, tokens, account details), modifying data, or attempting remote code execution.\u003c/li\u003e\n\u003cli\u003eIf the database user has sufficient privileges, the attacker can use PostgreSQL\u0026rsquo;s \u003ccode\u003eCOPY ... FROM PROGRAM\u003c/code\u003e to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to gain complete control over the Rucio metadata.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can have severe consequences. An attacker can modify or delete data within the Rucio metadata database, potentially disrupting scientific workflows and data management processes. Furthermore, sensitive information, such as password hashes and authentication tokens, can be extracted, leading to unauthorized access to Rucio accounts and data. In the worst-case scenario, if the PostgreSQL database user has elevated privileges, the attacker could achieve remote code execution on the server hosting the database, leading to complete system compromise. The number of affected deployments is currently unknown, but any Rucio instance utilizing the \u003ccode\u003epostgres_meta\u003c/code\u003e plugin is vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Rucio to a patched version (35.8.5, 38.5.5, 39.4.2, 40.1.1 or later) to remediate CVE-2026-29090.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Rucio DID Search Queries\u0026rdquo; to identify potential exploitation attempts against the DID search endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor Rucio logs for unusual activity related to the \u003ccode\u003eGET /dids/\u0026lt;scope\u0026gt;/dids/search\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eRestrict the privileges of the PostgreSQL database user used by Rucio to the minimum necessary for its operation to mitigate potential remote code execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-rucio-sqli/","summary":"A SQL injection vulnerability exists in Rucio's FilterEngine.create_postgres_query, affecting versions 1.30.0 to before 35.8.5, 36.0.0 to before 38.5.5, 39.0.0 to before 39.4.2, and 40.0.0 to before 40.1.1, allowing any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database via the DID search endpoint when the postgres_meta plugin is enabled, potentially leading to data modification, remote code execution, and credential theft.","title":"Rucio SQL Injection Vulnerability in FilterEngine PostgreSQL Query Builder","url":"https://feed.craftedsignal.io/briefs/2024-01-03-rucio-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Rucio","version":"https://jsonfeed.org/version/1.1"}