CVE-2024-40120: 
vulnerability analysis and mitigation

A SQL injection vulnerability was discovered in SeaweedFS versions prior to 3.69 that allows attackers to execute arbitrary database operations by manipulating the bucket name parameter. The vulnerability was discovered by Tencent YunDing Security Lab and affects the SeaweedFS Filer Server when using MySQL as the filemeta database (GitHub Issue).

The vulnerability exists in the AbstractSqlStore object within the weed/filer/abstractsql/abstractsql_store.go file. The issue stems from user input being directly concatenated into SQL statements without proper sanitization. The vulnerability affects multiple methods including FindEntry, ListDirectoryPrefixedEntries, CreateTable, DeleteEntry, and deleteTable. The most severe impact comes from select injection capabilities (GitHub Gist).

An attacker can execute arbitrary database operations by manipulating the bucket name parameter. This could potentially lead to unauthorized access to data, modification of database contents, or execution of malicious database commands. The vulnerability primarily affects installations using MySQL as the filemeta database (GitHub Issue).

The vulnerability has been fixed in SeaweedFS version 3.69. Users should upgrade to this version or later. For those unable to upgrade immediately, it is recommended to implement proper input validation and use parameterized queries to prevent SQL injection attacks (GitHub Issue).