rudder-server is part of RudderStack, an open source Customer Data Platform (CDP). Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution (RCE) due to the rudder role in PostgresSQL having superuser permissions by default. Version 1.3.0-rc.1 contains patches for this issue.

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-30625
• rudderlabs/rudder-server#2652
• rudderlabs/rudder-server#2663
• rudderlabs/rudder-server#2664
• rudderlabs/rudder-server@0d061ff
• rudderlabs/rudder-server@2f956b7
• rudderlabs/rudder-server@9c009d9
• https://securitylab.github.com/advisories
• https://securitylab.github.com/advisories/GHSL-2022-097_rudder-server
• http://packetstormsecurity.com/files/173837/Rudder-Server-SQL-Injection-Remote-Code-Execution.html