scitokens, SQL Injection, CVE-2024-29231 (Critical)

Listen to this Post

The vulnerability exists in the `KeyCache` class within src/scitokens/utils/keycache.py, where multiple database operations use Python’s `str.format()` to construct SQL queries. User-controlled parameters like `issuer` and `key_id` are concatenated directly into the SQL string. An attacker can supply a specially crafted `issuer` value containing a single quote followed by SQL logic, such as any' OR '1'='1' --. When passed to methods like `addkeyinfo` or getkeyinfo, the generated query becomes DELETE FROM keycache WHERE issuer = 'any' OR '1'='1' --' AND key_id = '...'. The trailing `–` comments out the rest of the query, effectively bypassing the intended WHERE condition and executing the command against all rows. The provided Proof of Concept demonstrates this by injecting a payload into the `DELETE` statement, which clears the entire key cache table. The same injection vector exists in INSERT, SELECT, and `DELETE` statements across five different methods, allowing an attacker to delete, modify, or extract arbitrary cache entries, and potentially escalate to more severe attacks if SQLite extensions are enabled.
Platform: scitokens
Version: affected versions
Vulnerability: SQL Injection
Severity: Critical
date: 2026-03-31

Prediction: Patch April 2024

What Undercode Say:

Detect vulnerable string formatting patterns in the codebase
grep -r ".format(" src/scitokens/utils/keycache.py
Monitor SQLite database for unexpected modifications
sqlite3 /path/to/cache.db "SELECT FROM keycache;"
Simulate injection detection using a simple script
python3 -c "import sqlite3; conn = sqlite3.connect('cache.db'); cur = conn.cursor(); cur.execute(\"SELECT FROM keycache WHERE issuer = 'test' OR '1'='1'\"); print(cur.fetchall())"

Exploit:

Malicious issuer payload to delete all cache entries
malicious_issuer = "any' OR '1'='1' --"
key_id = "x"
Vulerable code executes: DELETE FROM keycache WHERE issuer = 'any' OR '1'='1' --' AND key_id = 'x'

Protection from this CVE:

Replace all `str.format()` SQL constructions with parameterized queries using `?` placeholders. Example: curs.execute("DELETE FROM keycache WHERE issuer = ? AND key_id = ?", (issuer, key_id)). Update all five vulnerable methods (addkeyinfo, _addkeyinfo, _delete_cache_entry, _add_negative_cache_entry, getkeyinfo) to use this pattern.

Impact:

Remote attacker can delete entire key cache, inject malicious keys, exfiltrate sensitive cache data, or achieve RCE via `ATTACH DATABASE` if SQLite extensions are enabled.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top