<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>DIRACGrid - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/diracgrid/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 13 Jul 2026 18:41:36 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/diracgrid/feed.xml" rel="self" type="application/rss+xml"/><item><title>DIRAC Vulnerable to Remote Code Execution via SQL Injection and Eval in DatasetManager</title><link>https://feed.craftedsignal.io/briefs/2026-07-dirac-rce/</link><pubDate>Mon, 13 Jul 2026 18:41:36 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-dirac-rce/</guid><description>An authenticated user can achieve remote code execution in DIRAC's FileCatalog DatasetManager due to an SQL injection vulnerability (CVE-2026-61667) that allows manipulation of query results passed to an `eval` function, leading to full system compromise.</description><content:encoded><![CDATA[<p>A critical remote code execution vulnerability, tracked as CVE-2026-61667, has been identified in DIRAC's FileCatalog DatasetManager. This vulnerability allows an authenticated user to execute arbitrary code on the server by combining an SQL injection flaw with the improper use of Python's <code>eval</code> function. Specifically, the <code>checkDataset</code> function in <code>FileCatalogHandler.py</code> passes user-controlled input directly into an SQL query without proper escaping, leading to injection. The malicious SQL injection can manipulate the database query's result, which is subsequently passed to <code>eval</code> in <code>DatasetManager.py</code>, granting an attacker full control over the system. This allows for reading sensitive configuration files, exfiltrating database passwords, and compromising stored proxies and tokens, with the potential to also erase exploit evidence from logs. Patched versions are available for DIRAC 8.0.79, 9.0.22, and 9.1.10.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker initiates a request to the DIRAC system, targeting the <code>FileCatalog.checkDataset</code> function.</li>
<li>The attacker crafts a malicious <code>datasets</code> argument containing an SQL injection payload and sends it to the backend database handler.</li>
<li>The <code>__checkDataset</code> function in <code>DatasetManager.py</code> constructs an SQL query using an f-string with the unescaped, user-controlled <code>datasets</code> argument, creating an SQL injection vulnerability.</li>
<li>The injected SQL payload is designed to manipulate the query's result set, inserting arbitrary Python code that the attacker wishes to execute.</li>
<li>The database executes the modified query and returns the manipulated result, which now contains the attacker's arbitrary Python code.</li>
<li>The <code>DatasetManager.py</code> module immediately passes this returned, attacker-controlled result to Python's <code>eval</code> function.</li>
<li>The <code>eval</code> function executes the attacker's arbitrary Python code with the privileges of the DIRAC application.</li>
<li>Remote code execution is achieved, allowing the attacker to perform actions such as reading <code>dirac.cfg</code>, exfiltrating database credentials, and deleting log evidence.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-61667 grants any authenticated user the ability to execute arbitrary commands on the DIRAC server, leading to a complete compromise of the system. Attackers can read sensitive configuration files like <code>dirac.cfg</code>, extract database passwords, and exfiltrate all stored proxies and tokens, thereby gaining extensive access to the environment. Furthermore, if local logging is employed, the attacker can leverage this RCE to remove evidence of their activities, hindering incident response and forensic investigations. The vulnerability affects multiple versions of DIRAC, specifically versions from 6 up to 8.0.79, 8.1.0a1 up to 9.0.22, and 9.1.0 up to 9.1.10.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update all affected DIRAC installations to a patched version (8.0.79, 9.0.22, or 9.1.10) as listed in the advisory to remediate CVE-2026-61667.</li>
<li>Ensure proper input validation and parameterized queries are implemented for all database interactions within applications to prevent similar SQL injection vulnerabilities.</li>
<li>Implement robust logging and monitoring for critical application functions and ensure logs are forwarded to a secure, immutable log management system to prevent tampering, as attackers can remove evidence if local logging is used.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>remote-code-execution</category><category>sql-injection</category><category>python</category><category>web-application</category><category>vulnerability</category><category>cve-2026-61667</category></item><item><title>DIRAC Vulnerable to Remote Code Execution via eval on Untrusted Input in RequestManager</title><link>https://feed.craftedsignal.io/briefs/2026-07-dirac-rce-requestmanager/</link><pubDate>Mon, 13 Jul 2026 17:23:02 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-dirac-rce-requestmanager/</guid><description>A critical remote code execution vulnerability (CVE-2026-45579) in DIRAC's RequestManager allows any authenticated user to execute arbitrary commands or code on the DIRAC server due to the improper use of `eval()` on untrusted input, leading to full system compromise including data exfiltration and log manipulation.</description><content:encoded><![CDATA[<p>A critical remote code execution vulnerability, tracked as CVE-2026-45579, has been identified in the DIRAC RequestManager component. This flaw stems from the <code>export_getRequestCountersWeb</code> function, which is accessible to any authenticated user and processes untrusted input in its <code>groupingAttribute</code> parameter. This parameter is then prepended with &quot;Request.&quot; and directly passed to an <code>eval()</code> call within <code>RequestDB.py</code> if the attribute is unrecognized. This allows an authenticated attacker to inject and execute arbitrary Python code on the DIRAC server. Successful exploitation grants the attacker the ability to run commands as the system user running DIRAC services, enabling full control over the system, including access to sensitive configuration files like <code>dirac.cfg</code>, database passwords, proxies, and tokens. Attackers could also remove their exploit evidence from local RequestManager logs.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker accesses the DIRAC web interface or API.</li>
<li>The attacker identifies the <code>export_getRequestCountersWeb</code> function within the RequestManager as an accessible endpoint.</li>
<li>A specially crafted HTTP request is sent to invoke this function, including a malicious <code>groupingAttribute</code> parameter.</li>
<li>The <code>groupingAttribute</code> parameter contains Python code designed for arbitrary command execution (e.g., <code>__import__('os').system('id')</code>) leveraging dunder methods to access system functions.</li>
<li>The <code>ReqManagerHandler.py</code> component passes the untrusted <code>groupingAttribute</code> value to the <code>RequestDB</code> database instance.</li>
<li>Within <code>RequestDB.py</code>, if the provided <code>groupingAttribute</code> is not a recognized grouping string, the system prepends &quot;Request.&quot; to it and executes the resulting string via an <code>eval()</code> call.</li>
<li>The <code>eval()</code> function executes the attacker's injected Python code with the privileges of the system user running the DIRAC services.</li>
<li>The attacker achieves remote code execution, enabling actions such as retrieving sensitive <code>dirac.cfg</code> contents, exfiltrating database passwords and tokens, or removing forensic evidence from local RequestManager logs.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-45579 allows any authenticated user to gain arbitrary code execution on the DIRAC server, running commands as the system user. This leads to a full compromise of the DIRAC system, granting the attacker access to highly sensitive information such as the <code>dirac.cfg</code> file, database passwords, and all stored proxies and tokens. The attacker could also utilize this access to manipulate or remove local log files, hindering incident response and forensic analysis efforts. The scope of impact is broad, encompassing data theft, privilege escalation, and complete control over the compromised DIRAC infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Detects CVE-2026-45579 Exploitation - DIRAC RequestManager RCE&quot; to your SIEM system to identify exploitation attempts.</li>
<li>Ensure web server access logs are comprehensively collected and stored, providing the necessary <code>cs-uri-stem</code> and <code>cs-uri-query</code> fields for the detection rule.</li>
<li>Immediately apply the patches to DIRAC versions 8.0.79, 9.0.22, or 9.1.10 as recommended in the advisory to mitigate CVE-2026-45579.</li>
<li>Implement rigorous authentication and authorization policies for all users accessing DIRAC systems to reduce the attack surface.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>RCE</category><category>python</category><category>web-application</category><category>vulnerability</category><category>sql-injection</category><category>access-control</category></item></channel></rss>