Appsmith Developer Tool Vulnerability Let Attackers Execute Remote Code
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Security researchers have uncovered multiple critical vulnerabilities in Appsmith, a popular open-source developer platform for building internal applications.
Most concerning is CVE-2024-55963, which allows unauthenticated attackers to execute arbitrary system commands on servers running default installations of Appsmith versions 1.20 through 1.51.
CVE-2024-55963 – Remote Code Execution as PostgreSQL user
Appsmith, which helps organizations build dashboards, admin panels, and customer support tools, ships with a local PostgreSQL database intended for practice and learning purposes.
Rhino Security Labs discovered this database was critically misconfigured in its default installation.
Configuration allows local user to connect as any PostgreSQL user
The PostgreSQL authentication configuration file (pg_hba.conf) contained settings that allowed any local user to connect as any PostgreSQL user without requiring a password.
The vulnerability became exploitable because Appsmith’s default configuration allows new user signups.An attacker could register an account, create a workspace, add a new application, and then connect to the misconfigured local PostgreSQL database.
Once connected, the attacker could leverage PostgreSQL’s COPY FROM PROGRAM function to execute arbitrary system commands with the privileges of the PostgreSQL user.
Technical Exploitation Path
The proof-of-concept exploit demonstrated by researchers used the following SQL commands:
This simple sequence allowed attackers to create a temporary table, execute the Unix ‘cat’ command to read system files, retrieve the results, and remove evidence by dropping the table.
The security audit also revealed two other significant vulnerabilities:
CVE-2024-55964: An Insecure Direct Object Reference vulnerability allowed users with minimal “App Viewer” permissions to access SQL databases by exploiting predictable datasource IDs and the “/api/v1/datasources/[datasource-id]/schema-preview” API endpoint.
CVE-2024-55965: A Denial of Service vulnerability enabled users with limited permissions to repeatedly trigger application restarts via a broken access control in the restart API functionality.
Vulnerability Impact
The combination of these vulnerabilities created a significant security risk for organizations using Appsmith.
The most severe issue, CVE-2024-55963, essentially provided a path for complete system compromise from an unauthenticated position. Any attacker who discovered an organization’s Appsmith installation could potentially:
Appsmith has collaborated with Rhino Security Labs to address all three vulnerabilities:
CVE-2024-55963 (Remote Code Execution): Patched in version 1.52 with PR #37068, which hardened the PostgreSQL configuration and implemented password-based authentication for the internal database.
CVE-2024-55964 (IDOR): This was fixed in version 1.49 with PR #37308, adding proper role-based access controls to the vulnerable API endpoint.
CVE-2024-55965 (Denial of Service): Resolved in version 1.48 with PR #37227, implementing proper access control checks for the restart functionality.
Organizations running Appsmith instances should immediately upgrade to version 1.52 or later to protect against all identified vulnerabilities.
The security researchers have published detailed technical analyses and detection tools, including Nuclei templates for scanning vulnerable instances.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Appsmith Developer Tool Vulnerability Let Attackers Execute Remote Code
Author: KaaviyaSecurity researchers have uncovered multiple critical vulnerabilities in Appsmith, a popular open-source developer platform for building internal applications.
Most concerning is CVE-2024-55963, which allows unauthenticated attackers to execute arbitrary system commands on servers running default installations of Appsmith versions 1.20 through 1.51.
CVE-2024-55963 – Remote Code Execution as PostgreSQL user
Appsmith, which helps organizations build dashboards, admin panels, and customer support tools, ships with a local PostgreSQL database intended for practice and learning purposes.
Rhino Security Labs discovered this database was critically misconfigured in its default installation.
Configuration allows local user to connect as any PostgreSQL userThe PostgreSQL authentication configuration file (pg_hba.conf) contained settings that allowed any local user to connect as any PostgreSQL user without requiring a password.
The vulnerability became exploitable because Appsmith’s default configuration allows new user signups.An attacker could register an account, create a workspace, add a new application, and then connect to the misconfigured local PostgreSQL database.
Once connected, the attacker could leverage PostgreSQL’s COPY FROM PROGRAM function to execute arbitrary system commands with the privileges of the PostgreSQL user.
Technical Exploitation Path
The proof-of-concept exploit demonstrated by researchers used the following SQL commands:
This simple sequence allowed attackers to create a temporary table, execute the Unix ‘cat’ command to read system files, retrieve the results, and remove evidence by dropping the table.
The security audit also revealed two other significant vulnerabilities:
CVE-2024-55964: An Insecure Direct Object Reference vulnerability allowed users with minimal “App Viewer” permissions to access SQL databases by exploiting predictable datasource IDs and the “/api/v1/datasources/[datasource-id]/schema-preview” API endpoint.
CVE-2024-55965: A Denial of Service vulnerability enabled users with limited permissions to repeatedly trigger application restarts via a broken access control in the restart API functionality.
Vulnerability Impact
The combination of these vulnerabilities created a significant security risk for organizations using Appsmith.
The most severe issue, CVE-2024-55963, essentially provided a path for complete system compromise from an unauthenticated position. Any attacker who discovered an organization’s Appsmith installation could potentially:
- Register a user account
- Create a workspace and application
- Connect to the local PostgreSQL database
- Execute arbitrary system commands
- Gain persistent access to the underlying serve
Appsmith has collaborated with Rhino Security Labs to address all three vulnerabilities:
CVE-2024-55963 (Remote Code Execution): Patched in version 1.52 with PR #37068, which hardened the PostgreSQL configuration and implemented password-based authentication for the internal database.
CVE-2024-55964 (IDOR): This was fixed in version 1.49 with PR #37308, adding proper role-based access controls to the vulnerable API endpoint.
CVE-2024-55965 (Denial of Service): Resolved in version 1.48 with PR #37227, implementing proper access control checks for the restart functionality.
Organizations running Appsmith instances should immediately upgrade to version 1.52 or later to protect against all identified vulnerabilities.
The security researchers have published detailed technical analyses and detection tools, including Nuclei templates for scanning vulnerable instances.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
