Publication date: March 29, 2023
A potential data leak/privilege escalation of statement diagnostic bundles by non-admin users was discovered. We expose the ability to download a statement diagnostic bundle over HTTP via a URL provided either by the DB Console or the SQL shell. This URL is accessible to any logged-in user, but should be accessible only to admin users. This bundle contains unredacted query execution data including query text and the values of variables used within.
A user would be vulnerable to this escalation if they have generated a statement diagnostic bundle via the DB Console or the SQL shell and shared the URL with someone without the privileges to view. Or, an attacker guessed the statement diagnostic bundle ID that is at the end of a URL, which is possible to guess or brute force because it is a combination of timestamp and node ID. The zip file that the attacker downloads would contain the unredacted query execution details.
This vulnerability affects all of the following CockroachDB versions with this feature: v21.2.x, v22.1.0 to v22.1.16, v22.2.0 to v22.2.6.
This is resolved in CockroachDB by PR #99051, which fixes privilege escalation by correctly checking the SQL user’s privileges before granting access to the statement diagnostic bundle.
The fix has been applied to maintenance releases of CockroachDB: v22.1.18 and v22.2.7.
This public issue is tracked by #99049.
Users of CockroachDB v21.2, v22.1, and v22.2 are encouraged to upgrade to v22.1.18, v22.2.7, or a later version. Note that v21.2 users should upgrade to v22.2.7 or later. They can alternatively block HTTP access to the statement diagnostics download endpoint on their cluster via an HTTP proxy. Users can also protect against access if they do not generate statement diagnostics bundles, or delete the bundles by dropping rows from system.statement_diagnostics to remove existing generated bundles.
Non-admin SQL users with an authenticated HTTP session could download statement diagnostic bundles given a bundle URL from the DB Console or SQL shell with a valid HTTP session cookie. The bundle contains unredacted statement execution information including the contents of the query. This link is made available when a bundle is requested either via the
EXPLAIN ANALYZE (DEBUG) statement or by activating statement diagnostics in the DB console. The link contains an ID that is guessable, consisting of a timestamp and node ID, which could be brute-forced. The escalation of privileges was only experienced by users with valid login sessions.
Questions about any technical alert can be directed to our support team.