rucio 39.3.0

Direct Vulnerabilities

Known vulnerabilities in the rucio package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H SQL Injection rucio is a Rucio Package Affected versions of this package are vulnerable to SQL Injection in the `create_sqla_query` function when processing filter keys and values in Oracle database backends using the default `json_meta` metadata plugin configuration. An attacker can execute arbitrary SQL commands by supplying crafted input to the DID search API endpoint, potentially leading to full database compromise, extraction of sensitive data, modification of records, and possible remote code execution if the database user has elevated privileges. This is only exploitable if the deployment uses an Oracle backend with the default `json_meta` plugin configuration. How to fix SQL Injection? Upgrade `rucio` to version 35.8.5, 38.5.5, 39.4.2, 40.1.1 or higher.	[1.27.0,35.8.5)[36.0.0,38.5.5)[39.0.0,39.4.2)[40.0.0,40.1.1)
H SQL Injection rucio is a Rucio Package Affected versions of this package are vulnerable to SQL Injection via the `create_postgres_query` function when attacker-controlled filter keys and values are interpolated directly into raw SQL statements through the DID search endpoint. An attacker can execute arbitrary SQL commands, exfiltrate sensitive data, modify database contents, and potentially achieve remote code execution by crafting malicious input. This is only exploitable if the external metadata plugin `postgres_meta` is explicitly configured. How to fix SQL Injection? Upgrade `rucio` to version 35.8.5, 38.5.5, 39.4.2, 40.1.1 or higher.	[1.30.0,35.8.5)[36.0.0,38.5.5)[39.0.0,39.4.2)[40.0.0,40.1.1)

Vulnerability

Vulnerable Version

SQL Injection

rucio is a Rucio Package

Affected versions of this package are vulnerable to SQL Injection in the create_sqla_query function when processing filter keys and values in Oracle database backends using the default json_meta metadata plugin configuration. An attacker can execute arbitrary SQL commands by supplying crafted input to the DID search API endpoint, potentially leading to full database compromise, extraction of sensitive data, modification of records, and possible remote code execution if the database user has elevated privileges. This is only exploitable if the deployment uses an Oracle backend with the default json_meta plugin configuration.

How to fix SQL Injection?

Upgrade rucio to version 35.8.5, 38.5.5, 39.4.2, 40.1.1 or higher.

[1.27.0,35.8.5)[36.0.0,38.5.5)[39.0.0,39.4.2)[40.0.0,40.1.1)

SQL Injection

rucio is a Rucio Package

Affected versions of this package are vulnerable to SQL Injection via the create_postgres_query function when attacker-controlled filter keys and values are interpolated directly into raw SQL statements through the DID search endpoint. An attacker can execute arbitrary SQL commands, exfiltrate sensitive data, modify database contents, and potentially achieve remote code execution by crafting malicious input. This is only exploitable if the external metadata plugin postgres_meta is explicitly configured.

How to fix SQL Injection?

Upgrade rucio to version 35.8.5, 38.5.5, 39.4.2, 40.1.1 or higher.

[1.30.0,35.8.5)[36.0.0,38.5.5)[39.0.0,39.4.2)[40.0.0,40.1.1)

rucio@39.3.0

Rucio server package

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically