Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated, simply visiting a crafted link is enough to trigger the vulnerability. The injected payload is executed by PostgreSQL using COPY ... TO PROGRAM ..., which in turn runs arbitrary OS commands on the host. This issue has been patched in version 1.3.7.
The vulnerability is located in the GET /api/v1/main/flows/search endpoint and consists of improper handling of input data passed to an SQL query (CWE-89). The attacker injects a malicious SQL payload, which is then executed by PostgreSQL using the COPY ... TO PROGRAM ... mechanism. This mechanism allows PostgreSQL to execute arbitrary operating system commands on the host where the database runs. In the default docker-compose deployment, the exploit requires only an active authenticated user session.
An attacker with access to an authenticated session can execute arbitrary operating system commands on the host server, resulting in complete system compromise, potential data leakage, and violation of integrity and availability of the environment.
Kestra should be updated to version 1.3.7, in which the issue has been fixed. The fix is available in the GitHub repository (commit 3926762795df8ad3e03924b370c51832ed3a21d3) and in the v1.3.7 release.
Kestra in versions prior to 1.3.7, in the default docker-compose deployment with PostgreSQL database
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HKestra
APPKestra< 1.3.7
Related vulnerabilities
Kestra: Pominięcie uwierzytelnienia REST API prowadzące do RCE jako root
Kestra: Auth Bypass umożliwiający nieuwierzytelniony RCE jako root
SQL Injection w Kestra — wstrzykiwanie zapytań przez parametr GET
Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in t...
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API ...