Listen to this Post
The vulnerability exists in the `KeyCache` class within src/scitokens/utils/keycache.py, where multiple database operations use Python’s `str.format()` to construct SQL queries. User-controlled parameters like `issuer` and `key_id` are concatenated directly into the SQL string. An attacker can supply a specially crafted `issuer` value containing a single quote followed by SQL logic, such as any' OR '1'='1' --. When passed to methods like `addkeyinfo` or getkeyinfo, the generated query becomes DELETE FROM keycache WHERE issuer = 'any' OR '1'='1' --' AND key_id = '...'. The trailing `–` comments out the rest of the query, effectively bypassing the intended WHERE condition and executing the command against all rows. The provided Proof of Concept demonstrates this by injecting a payload into the `DELETE` statement, which clears the entire key cache table. The same injection vector exists in INSERT, SELECT, and `DELETE` statements across five different methods, allowing an attacker to delete, modify, or extract arbitrary cache entries, and potentially escalate to more severe attacks if SQLite extensions are enabled.
Platform: scitokens
Version: affected versions
Vulnerability: SQL Injection
Severity: Critical
date: 2026-03-31
Prediction: Patch April 2024
What Undercode Say:
Detect vulnerable string formatting patterns in the codebase
grep -r ".format(" src/scitokens/utils/keycache.py
Monitor SQLite database for unexpected modifications
sqlite3 /path/to/cache.db "SELECT FROM keycache;"
Simulate injection detection using a simple script
python3 -c "import sqlite3; conn = sqlite3.connect('cache.db'); cur = conn.cursor(); cur.execute(\"SELECT FROM keycache WHERE issuer = 'test' OR '1'='1'\"); print(cur.fetchall())"
Exploit:
Malicious issuer payload to delete all cache entries malicious_issuer = "any' OR '1'='1' --" key_id = "x" Vulerable code executes: DELETE FROM keycache WHERE issuer = 'any' OR '1'='1' --' AND key_id = 'x'
Protection from this CVE:
Replace all `str.format()` SQL constructions with parameterized queries using `?` placeholders. Example: curs.execute("DELETE FROM keycache WHERE issuer = ? AND key_id = ?", (issuer, key_id)). Update all five vulnerable methods (addkeyinfo, _addkeyinfo, _delete_cache_entry, _add_negative_cache_entry, getkeyinfo) to use this pattern.
Impact:
Remote attacker can delete entire key cache, inject malicious keys, exfiltrate sensitive cache data, or achieve RCE via `ATTACH DATABASE` if SQLite extensions are enabled.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

