Listen to this Post
The vulnerability resides in the PilotManager service of DIRAC, a distributed computing framework. A number of functions within PilotManager, such as setPilotStatus, accept user-supplied parameters and pass them directly to the database layer without any sanitization or escaping. The database layer then incorporates these parameters into SQL queries verbatim, creating a classical SQL injection vector. Although the implementation does not permit multiple statements separated by semicolons, an attacker can still craft malicious parameters containing SQL escape sequences to alter the logic of the query. This allows an authenticated user to read, modify, or delete arbitrary database entries that they should not have access to.
Compounding this issue, the access control for PilotManager is configured only to require authentication, without any further authorization checks. The relevant configuration (ConfigTemplate.cfg) grants access to all authenticated users for all exported pilot management functions. As a result, any user with valid credentials—regardless of their role or privileges—can invoke these functions. This means that a low-privilege user can manage any pilot job in the system, including deleting pilots, reading their output, or altering their status.
The combination of these two flaws turns a simple SQL injection into a severe security breach. An attacker can first use the SQL injection to extract sensitive information from the database, such as credentials or configuration data. They can then leverage the excessive access control to manipulate pilot jobs belonging to other users, potentially disrupting workflows or gaining further footholds in the infrastructure. The vulnerability affects multiple version ranges of DIRAC, specifically versions 6.x up to 8.0.78, 8.1.0a1 through 9.0.21, and 9.1.0 through 9.1.9. The fix involves two key changes: rewriting the SQL statements to use proper parameter substitution (prepared statements) and implementing a more granular set of access rules for the pilot management functions. Patched versions 8.0.79, 9.0.22, and 9.1.10 have been released to address these issues.
DailyCVE Form:
Platform: DIRAC
Version: >=6,<8.0.79;>=8.1.0a1,<9.0.22;>=9.1.0,<9.1.10
Vulnerability: SQL Injection, Improper Access Control
Severity: High
date: 2026-07-13
Prediction: 2026-07-13
What Undercode Say:
Analytics
- Vulnerable Code (PilotManagerHandler.py, lines 343-349):
def setPilotStatus(self, pilotRef, status, reason=''): result = self.pilotAgentsDB.setPilotStatus(pilotRef, status, reason) return result
- Vulnerable DB Function (PilotAgentsDB.py, line 117):
def setPilotStatus(self, pilotRef, status, reason=''): sql = "UPDATE PilotAgents SET Status='%s' WHERE PilotRef='%s'" % (status, pilotRef) self._execute(sql)
- Fixed Code (Parameter Substitution):
def setPilotStatus(self, pilotRef, status, reason=''): sql = "UPDATE PilotAgents SET Status=? WHERE PilotRef=?" self._execute(sql, (status, pilotRef))
- Access Control Configuration (ConfigTemplate.cfg, lines 111-118):
[bash] Authorization { Default = authenticated } - Hardened Access Control:
[bash] Authorization { setPilotStatus = admin deletePilot = admin getPilotOutput = admin Default = authenticated }
Exploit:
An authenticated attacker can exploit the SQL injection by calling `setPilotStatus` with a malicious `pilotRef` parameter. For example:
setPilotStatus("' OR '1'='1' -- ", "Deleted")
This would update all pilot records to “Deleted” status. Similarly, an attacker can use `UNION` queries to extract data from other tables. The lack of access control means any authenticated user can perform these actions on any pilot, not just their own.
Protection:
- Upgrade to DIRAC version 8.0.79, 9.0.22, or 9.1.10 or later.
- If upgrading is not immediately possible, manually apply the fix by changing all SQL statements in `PilotAgentsDB.py` to use parameterized queries (e.g., `?` placeholders with
_execute(sql, params)). - Restrict access to PilotManager functions by modifying the `Authorization` section in `ConfigTemplate.cfg` to enforce role-based permissions (e.g., only allow `admin` or `pilotmanager` roles to perform write operations).
Impact:
Successful exploitation allows any authenticated user to:
- Read, modify, or delete arbitrary records in the PilotAgents database table.
- Manipulate pilot jobs belonging to any other user, including deletion or status changes.
- Potentially escalate privileges by extracting sensitive information (e.g., credentials, configuration data) from the database through UNION-based SQL injection.
- Disrupt the normal operation of the DIRAC workload management system, leading to denial of service or data integrity issues.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

