Security researchers have uncovered multiple critical vulnerabilities in Appsmith, a popular open-source developer platform for building internal applications.\u00a0<\/p>\n
Most concerning is CVE-2024-55963, which allows unauthenticated attackers to execute arbitrary system commands on servers running default installations of Appsmith versions 1.20 through 1.51.<\/p>\n
CVE-2024-55963 \u2013 Remote Code Execution as PostgreSQL user<\/strong><\/h2>\nAppsmith, which helps organizations build dashboards, admin panels, and customer support tools, ships with a local PostgreSQL database<\/a> intended for practice and learning purposes.\u00a0<\/p>\nRhino Security Labs discovered this database was critically misconfigured in its default installation.\u00a0<\/p>\n
\n![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXeykB22nGKMZPeeHAEz6oD6jlDh9vp6Vqocj15vrax0xH08xHBW2zn5--WECkNPCHy7TNSBCQkJANGRyWO4hyE6BnFwAdY5Pv3TKx6aK2oQ_mDfCB1EhXDYluKakFgJLkhwGekt?key=svh5lX2FW-P1ecqhavi45Ppv\")
Configuration allows local user to connect as any PostgreSQL user<\/figcaption><\/figure>\n<\/div>\nThe PostgreSQL authentication configuration file (pg_hba.conf) contained settings that allowed any local user to connect as any PostgreSQL user without requiring a password.<\/p>\n
The vulnerability became exploitable because Appsmith\u2019s default configuration allows new user signups.\u00a0An attacker could register an account, create a workspace, add a new application, and then connect to the misconfigured local PostgreSQL database.<\/p>\n
Stop attacks before they start, powered by a 97% precise neural Network to Detect Cyber Attacks<\/a><\/strong><\/p>\nOnce connected, the attacker could leverage PostgreSQL\u2019s COPY FROM PROGRAM function to execute arbitrary system commands with the privileges of the PostgreSQL user.<\/p>\n
Technical Exploitation Path<\/strong><\/h2>\nThe proof-of-concept exploit<\/a> demonstrated by researchers used the following SQL commands:<\/p>\n\n![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdAA8n14avIBmN4oP9nlgGQYfUZcsj-CN0XhrKLYW5-1eC32hfDFvWjPXjgOUWP6YSpGSCwyLPYBA29AR5Mp4GJHIvH8WsFAO7xIe--7FoYl38d7GbDvT1iL7Ki-5kGTp6c2Z3_-g?key=svh5lX2FW-P1ecqhavi45Ppv\")
<\/figure>\n<\/div>\nThis simple sequence allowed attackers to create a temporary table, execute the Unix \u2018cat\u2019 command to read system files, retrieve the results, and remove evidence by dropping the table.<\/p>\n
The security audit also revealed<\/a> two other significant vulnerabilities:<\/p>\nCVE-2024-55964:<\/strong> An Insecure Direct Object Reference vulnerability allowed users with minimal \u201cApp Viewer\u201d permissions to access SQL databases by exploiting predictable datasource IDs and the \u201c\/api\/v1\/datasources\/[datasource-id]\/schema-preview\u201d API endpoint.<\/p>\nCVE-2024-55965:<\/strong> A Denial of Service<\/a> vulnerability enabled users with limited permissions to repeatedly trigger application restarts via a broken access control in the restart API functionality.<\/p>\nVulnerability Impact<\/strong><\/h2>\nThe combination of these vulnerabilities created a significant security risk for organizations using Appsmith.\u00a0<\/p>\n
The most severe issue, CVE-2024-55963, essentially provided a path for complete system compromise from an unauthenticated position. Any attacker who discovered an organization\u2019s Appsmith installation could potentially:<\/p>\n
\n- Register a user account<\/li>\n
- Create a workspace and application<\/li>\n
- Connect to the local PostgreSQL database<\/li>\n
- Execute arbitrary system commands<\/li>\n
- Gain persistent access to the underlying serve<\/li>\n<\/ul>\n
Appsmith has collaborated<\/a> with Rhino Security Labs to address all three vulnerabilities:<\/p>\nCVE-2024-55963 (Remote Code Execution): <\/strong>Patched in version 1.52 with PR #37068, which hardened the PostgreSQL configuration and implemented password-based authentication for the internal database.<\/p>\nCVE-2024-55964 (IDOR): <\/strong>This was fixed in version 1.49 with PR #37308, adding proper role-based access controls to the vulnerable API endpoint<\/a>.<\/p>\nCVE-2024-55965 (Denial of Service): <\/strong>Resolved in version 1.48 with PR #37227, implementing proper access control checks for the restart functionality.<\/p>\nOrganizations running Appsmith instances should immediately upgrade to version 1.52 or later to protect against all identified vulnerabilities.\u00a0<\/p>\n
The security researchers have published detailed technical analyses and detection tools, including Nuclei templates for scanning vulnerable instances.<\/p>\n
Investigate Real-World Malicious Links & Phishing Attacks With\u00a0Threat Intelligence Lookup<\/strong>\u00a0-\u00a0Try for Free<\/a><\/code><\/strong><\/code><\/strong><\/p>\nThe post Appsmith Developer Tool Vulnerability Let Attackers Execute Remote Code<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
Rhino Security Labs discovered this database was critically misconfigured in its default installation.\u00a0<\/p>\n
The PostgreSQL authentication configuration file (pg_hba.conf) contained settings that allowed any local user to connect as any PostgreSQL user without requiring a password.<\/p>\n
The vulnerability became exploitable because Appsmith\u2019s default configuration allows new user signups.\u00a0An attacker could register an account, create a workspace, add a new application, and then connect to the misconfigured local PostgreSQL database.<\/p>\n
Stop attacks before they start, powered by a 97% precise neural Network to Detect Cyber Attacks<\/a><\/strong><\/p>\n Once connected, the attacker could leverage PostgreSQL\u2019s COPY FROM PROGRAM function to execute arbitrary system commands with the privileges of the PostgreSQL user.<\/p>\n The proof-of-concept exploit<\/a> demonstrated by researchers used the following SQL commands:<\/p>\n This simple sequence allowed attackers to create a temporary table, execute the Unix \u2018cat\u2019 command to read system files, retrieve the results, and remove evidence by dropping the table.<\/p>\n The security audit also revealed<\/a> two other significant vulnerabilities:<\/p>\n CVE-2024-55964:<\/strong> An Insecure Direct Object Reference vulnerability allowed users with minimal \u201cApp Viewer\u201d permissions to access SQL databases by exploiting predictable datasource IDs and the \u201c\/api\/v1\/datasources\/[datasource-id]\/schema-preview\u201d API endpoint.<\/p>\n CVE-2024-55965:<\/strong> A Denial of Service<\/a> vulnerability enabled users with limited permissions to repeatedly trigger application restarts via a broken access control in the restart API functionality.<\/p>\n The combination of these vulnerabilities created a significant security risk for organizations using Appsmith.\u00a0<\/p>\n The most severe issue, CVE-2024-55963, essentially provided a path for complete system compromise from an unauthenticated position. Any attacker who discovered an organization\u2019s Appsmith installation could potentially:<\/p>\n Appsmith has collaborated<\/a> with Rhino Security Labs to address all three vulnerabilities:<\/p>\n CVE-2024-55963 (Remote Code Execution): <\/strong>Patched in version 1.52 with PR #37068, which hardened the PostgreSQL configuration and implemented password-based authentication for the internal database.<\/p>\n CVE-2024-55964 (IDOR): <\/strong>This was fixed in version 1.49 with PR #37308, adding proper role-based access controls to the vulnerable API endpoint<\/a>.<\/p>\n CVE-2024-55965 (Denial of Service): <\/strong>Resolved in version 1.48 with PR #37227, implementing proper access control checks for the restart functionality.<\/p>\n Organizations running Appsmith instances should immediately upgrade to version 1.52 or later to protect against all identified vulnerabilities.\u00a0<\/p>\n The security researchers have published detailed technical analyses and detection tools, including Nuclei templates for scanning vulnerable instances.<\/p>\n The post Appsmith Developer Tool Vulnerability Let Attackers Execute Remote Code<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nTechnical Exploitation Path<\/strong><\/h2>\n
Vulnerability Impact<\/strong><\/h2>\n
\n
Investigate Real-World Malicious Links & Phishing Attacks With\u00a0Threat Intelligence Lookup<\/strong>\u00a0-\u00a0Try for Free<\/a><\/code><\/strong><\/code><\/strong><\/p>\n