嗯,用户让我用中文总结一篇文章,控制在100字以内,而且不需要特定的开头。我先看看文章内容。 文章讲的是Orkes Conductor平台的一个漏洞,版本是5.2.4,允许认证攻击者进行基于时间的盲SQL注入。攻击者可以利用sort参数在/api/workflow/search端点注入SQL表达式,影响PostgreSQL数据库。漏洞已经被修复,建议更新到最新版本。 我需要把这些信息浓缩到100字以内。首先,平台名称和版本。然后是漏洞类型和攻击方式。接着是受影响的端点和数据库。最后提到修复建议。 确保语言简洁明了,不使用复杂的术语,让用户容易理解。 </think> Orkes Conductor平台存在漏洞(CVE-2025-66387),允许认证攻击者通过sort参数在/api/workflow/search端点进行基于时间的盲SQL注入攻击,影响PostgreSQL数据库。该漏洞源于未正确验证输入和未使用预处理语句,已修复并建议更新至最新版本以防止数据泄露。 2025-12-18 15:46:25 Author: levelblue.com(查看原文) 阅读量:2 收藏
LevelBlue SpiderLabs has discovered a vulnerability in the Orkes Conductor platform (version 5.2.4 | v1.19.12) that allows authenticated attackers to perform time-based blind SQL injection attacks against the backend PostgreSQL database. Orkes Conductor is a managed workflow orchestration platform used to model complex, distributed microservice and human workflows. The vulnerability arises from improper input validation on the “sort” parameter in the /api/workflow/search endpoint, enabling the injection of crafted SQL expressions directly into backend queries. The vulnerable endpoint accepts user-controlled input in the “sort” query parameter, which is directly embedded in SQL statements executed on the backend without proper sanitization. While basic filtering is in place to prevent common payloads, LevelBlue researchers successfully bypassed these checks using time-based blind SQL injection techniques. The following proof-of-concept payload resulted in a deliberate five-second delay in the server’s response, confirming the presence of a time-based SQL injection vulnerability: Another example: This payload would trigger a measurable time delay if the first character of the database name matched the ASCII value (e.g., 112 = 'p'), enabling data exfiltration character-by-character. This technique enabled the enumeration of database names, table names, and column metadata. Successful exploitation of this vulnerability allows a remote, authenticated attacker to extract internal PostgreSQL database names and contents. Depending on deployment and database configuration, the attacker could gain access to confidential application data or orchestrated workflow states. The core issue lies in unsanitized SQL string construction in dynamic query sorting logic. Application-layer filtering was insufficient to block logical injection chains and failed to use prepared statements or query parameterization. The vulnerability has been addressed by Orkes, and users are recommended to update to the latest version, and to validate and escape all user-supplied inputs and use prepared statements with bind variables. This vulnerability was discovered by Timothy Stamopoulos, on behalf of LevelBlue SpiderLabs, during a client engagement.Affected Product
Vulnerability Details
?sort=(SELECT 1371 FROM PG_SLEEP(5))
Figure 1. PoC request resulted in a five-second delay in the server’s response.?sort=(SELECT 1 + CASE WHEN (SELECT ASCII(SUBSTRING(datname,1,1)) FROM pg_database LIMIT 1 OFFSET 0) = 112 THEN PG_SLEEP(5) ELSE 0 END)Impact
Root Cause
Remediation
Timeline
Credit
如有侵权请联系:admin#unsafe.sh