CVE-2024-24213 – SQL Injection Vulnerability discovered in Supabase PostgreSQL v15.1, but is it an intended feature?

A SQL injection vulnerability (CVE-2024-24213) has been discovered in Supabase PostgreSQL v15.1 via the component /pg_meta/default/query. However, the vendor claims that this is an intended feature and it does not exist in the Supabase PostgreSQL product, but in the Supabase dashboard product. The /pg_meta/default/query is designed for SQL queries entered in a user interface (UI) by an authorized user, claiming that nothing is injected.

Suppose we have a vulnerable query following the /pg_meta/default/query component

SELECT
    COLUMN_NAME, DATA_TYPE, TABLE_NAME
FROM
    INFORMATION_SCHEMA.COLUMNS
WHERE
    TABLE_CATALOG = 'Supabase' AND TABLE_SCHEMA = 'default';

An attacker could potentially exploit this by inputting a malicious SQL code

ADD'; DROP TABLE users; --

Original References

1. CVE-2024-24213 listing on CVE Details website
2. Supabase PostgreSQL v15.1 official release documentation
3. Discussion on Supabase GitHub repository regarding this issue
4. Supabase dashboard product website

Exploit Details

An attacker with basic access and knowledge about the system can exploit this vulnerability. By injecting malicious SQL code, they can modify, delete, or even retrieve sensitive information from the databases. Additionally, they could potentially take control of the server hosting the database.

This exploit seems to affect only the Supabase dashboard product, not the core PostgreSQL product, which is where the vendor claims the intended feature resides. The attack is executed through authorized user input, specifically in the /pg_meta/default/query UI.

However, authorized users should be aware of the potential pitfalls that come with allowing SQL queries to be inputted directly in the UI. Although this may be convenient, it may not be the best idea from a security standpoint. It could be considered a case of "insecure direct object reference" (IDOR) potentially leading to a larger security issue.

Recommendations

As per the vendor's claim that this is an intended feature, there might not be a direct fix for this vulnerability, but certain actions can be taken to reduce the risk:

1. Implement input validation: properly sanitize and validate user input before processing SQL queries entered through the /pg_meta/default/query UI.
2. Limit privileges: reduce the permissions of database users and only grant necessary permissions to perform requisite actions.
3. Use prepared statements: avoid executing raw SQL queries directly and adopt prepared statements to parameterize data input.
4. Employ multi-factor authentication (MFA) for users who can access the Supabase dashboard to add another layer of protection.
5. Monitor the system closely: have a monitoring mechanism in place to track suspicious activities or unauthorized access attempts.

Conclusion

The CVE-2024-24213 vulnerability highlights the importance of understanding that not all security threats come from third-party malicious actors. Recognizing that even authorized users can inadvertently create vulnerabilities allows developers to take necessary precautions in designing their applications. Although the vendor claims this is an intended feature, the lessons learned from this case should not be neglected.

Timeline

Published on: 02/08/2024 18:15:08 UTC
Last modified on: 03/21/2024 02:52:10 UTC