CVE-2024-40120: 
NixOS vulnerability analysis and mitigation

A SQL injection vulnerability was discovered in SeaweedFS versions prior to 3.69 that allows attackers to execute arbitrary database operations by manipulating the bucket name parameter. The vulnerability affects the SeaweedFS Filer Server when using MySQL as the filemeta database (Wiz Report, GitHub Issue).

The vulnerability exists in the AbstractSqlStore object within the weed/filer/abstractsql/abstractsql_store.go file. The issue stems from user input being directly concatenated into SQL statements without proper sanitization. The vulnerability affects multiple methods including FindEntry, ListDirectoryPrefixedEntries, CreateTable, DeleteEntry, and deleteTable. The most severe impact comes from select injection capabilities (GitHub Gist).

An attacker can execute arbitrary database operations by manipulating the bucket name parameter. This could potentially lead to unauthorized access to data, modification of database contents, or execution of malicious database commands. The vulnerability primarily affects installations using MySQL as the filemeta database (Wiz Report).

The vulnerability has been fixed in SeaweedFS version 3.69. Users should upgrade to this version or later. For those unable to upgrade immediately, it is recommended to implement proper input validation and use parameterized queries to prevent SQL injection attacks (Wiz Report).

The vulnerability was discovered and reported by Tencent YunDing Security Lab. The issue was publicly disclosed through GitHub, leading to prompt acknowledgment and patching by the SeaweedFS development team (GitHub Issue).