An authenticated attacker can execute arbitrary SQL queries within ClickHouse, leading to full database compromise and potential remote code execution in OneUptime environments.

This vulnerability involves a SQL injection flaw where the telemetry aggregation API accepts unsanitized parameters and appends them directly to ClickHouse SQL queries. An authenticated user can bypass intended query logic to perform unauthorized data modifications or read sensitive telemetry data across all tenants.

A successful exploit poses a critical risk to data confidentiality and integrity, as an attacker could gain access to sensitive telemetry data belonging to all system tenants. Given the CVSS score of 9.9, the impact is severe, potentially allowing for remote code execution via ClickHouse table functions and total system takeover. This could result in significant service disruption and loss of customer trust.

Immediate Action: Update OneUptime to version 10.0.23 or later immediately to apply necessary input validation and parameterized query bindings.

Proactive Monitoring: Review ClickHouse logs for unusual query patterns, specifically those involving the .append() method or unexpected table function calls.

Compensating Controls: Implement strict network-level access controls to the ClickHouse interface and utilize a Web Application Firewall (WAF) to filter suspicious API parameters.

Public Exploit Available: false

The severity of this SQL injection vulnerability cannot be overstated, as it grants deep access to the underlying data infrastructure. Organizations using OneUptime must prioritize the update to version 10.0.23 immediately. Failure to remediate this flaw exposes the entire telemetry dataset and the host environment to complete compromise.