{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/questdb/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OpenC3"],"_cs_severities":["critical"],"_cs_tags":["sql-injection","openc3","cosmos","questdb","telemetry"],"_cs_type":"advisory","_cs_vendors":["rubygems"],"content_html":"\u003cp\u003eA SQL injection vulnerability has been identified in the OpenC3 COSMOS Time-Series Database (TSDB) component, which utilizes QuestDB. The vulnerability resides within the \u003ccode\u003etsdb_lookup\u003c/code\u003e function in the \u003ccode\u003ecvt_model.rb\u003c/code\u003e file, where user-supplied input is directly incorporated into SQL queries without proper sanitization. An authenticated attacker with \u0026ldquo;tlm\u0026rdquo; permissions, which includes Admin, Operator, Viewer, or Runner roles, can exploit this flaw to inject arbitrary SQL commands. This can lead to unauthorized data access, modification, or deletion within the TSDB. The affected versions are OpenC3 rubygems package versions \u0026gt;= 6.7.0 and \u0026lt; 7.0.0-rc3. Successful exploitation allows attackers to compromise the confidentiality, integrity, and availability of telemetry data stored within the COSMOS system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the COSMOS system with a role that possesses \u0026ldquo;tlm\u0026rdquo; permissions (Admin, Operator, Viewer, or Runner).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JSON-RPC request targeting the \u003ccode\u003eget_tlm_values\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the request body, the attacker injects a SQL payload into the \u003ccode\u003estart_time\u003c/code\u003e parameter, such as \u003ccode\u003e' OR 1=1 --\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etsdb_lookup\u003c/code\u003e function incorporates the unsanitized input into a SQL query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL payload manipulates the query logic, allowing the attacker to bypass intended restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker can then exfiltrate all telemetry data within the database by manipulating the SQL query.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the SQL payload to execute arbitrary commands, such as \u003ccode\u003eDROP TABLE\u003c/code\u003e statements.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully deletes historical data from the database, impacting data availability and system integrity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability allows an attacker to perform unauthorized actions on the OpenC3 COSMOS Time-Series Database (TSDB). An attacker with \u0026ldquo;tlm\u0026rdquo; permissions can disclose sensitive telemetry data, modify existing data, or delete data altogether. The vulnerability impacts systems running OpenC3 rubygems package versions \u0026gt;= 6.7.0 and \u0026lt; 7.0.0-rc3. Depending on the role of the compromised account and the specific SQL commands executed, an attacker could potentially cause significant disruption to operations relying on the integrity and availability of telemetry data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003erubygems/openc3\u003c/code\u003e package to version 7.0.0-rc3 or later to remediate the SQL injection vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement input sanitization on user-supplied data within the \u003ccode\u003etsdb_lookup\u003c/code\u003e function in \u003ccode\u003ecvt_model.rb\u003c/code\u003e to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious OpenC3 Telemetry Requests\u0026rdquo; to identify potential exploitation attempts targeting the \u003ccode\u003eget_tlm_values\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eReview and restrict \u0026ldquo;tlm\u0026rdquo; permissions to the \u003ccode\u003eget_tlm_values\u003c/code\u003e RPC endpoint according to the principle of least privilege, limiting access to only those users who require it.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T14:12:02Z","date_published":"2026-04-23T14:12:02Z","id":"/briefs/2024-01-09-openc3-sql-injection/","summary":"A SQL injection vulnerability exists in the Time-Series Database (TSDB) component of COSMOS, allowing an authenticated remote user to execute arbitrary SQL commands, including telemetry data disclosure and deletion.","title":"OpenC3 COSMOS SQL Injection Vulnerability in QuestDB Time-Series Database","url":"https://feed.craftedsignal.io/briefs/2024-01-09-openc3-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Questdb","version":"https://jsonfeed.org/version/1.1"}