Impact
A SQL injection flaw exists in the set_uri_query parameter used by the KeyPartitioner::partition function in Datadog Vector 0.54.0. An attacker can inject crafted SQL statements that read sensitive information from the database, potentially exposing confidential data. The weakness is a classic input validation failure (CWE-89).
Affected Systems
The vulnerable component is Datadog Vector, version 0.54.0, released by Datadog, Inc. No other affected versions or products are listed in the advisory.
Risk and Exploitability
The CVSS score of 9.8 indicates a critical level of risk. The EPSS score of <1% suggests that exploitation attempts are currently rare, and the vulnerability is not yet listed in CISA KEV. The likely attack vector is through the API that accepts the set_uri_query parameter; an attacker would need network access to the host running the vulnerable service. Given the high severity, organizations should treat this as a high priority even though current exploitation probability is low.
OpenCVE Enrichment