A significant security vulnerability has been discovered in Denodo Scheduler, a data management<\/a> software component, that allows attackers to execute remote code on affected systems.\u00a0<\/p>\n The flaw, identified as CVE-2025-26147, exploits a path traversal vulnerability in the Kerberos authentication configuration feature, potentially compromising the security of enterprise data management infrastructure.<\/p>\n The vulnerability affects Denodo Scheduler version 8.0.202309140, a Java-based web application that provides time-based job scheduling for data extraction and integration operations.\u00a0<\/p>\n The security flaw resides in the Kerberos authentication configuration functionality, specifically in the keytab file upload mechanism.\u00a0<\/p>\n When administrators attempt to upload keytab files which store service principal credentials for Kerberos authentication<\/a> the application fails to properly validate the filename parameter in multipart form data POST requests.<\/p>\n Attackers can exploit this weakness by manipulating the filename attribute in the Content-Disposition HTTP header using directory traversal sequences.\u00a0<\/p>\n A malicious payload such as filename=\u201d..\/..\/..\/..\/opt\/denodo\/malicious.file.txt\u201d enables unauthorized file uploads to arbitrary locations on the server\u2019s filesystem.\u00a0<\/p>\n While the application appends a timestamp to uploaded filenames (e.g., malicious.file-1711156561716.txt), this timestamp is returned to the user via HTTP response, eliminating the need for attackers to guess the exact filename.<\/p>\n The path traversal vulnerability becomes critically dangerous when combined with the application\u2019s Apache Tomcat<\/a> deployment environment.\u00a0<\/p>\n Security researchers identified that the web server\u2019s root directory at \/path\/to\/webroot\/resources\/apache-tomcat\/webapps\/ROOT\/ provides an ideal target for malicious file placement.\u00a0<\/p>\n By uploading a JavaServer Pages (JSP) web shell to this location, attackers can achieve complete remote code execution capabilities.<\/p>\n The researchers demonstrated the attack using a concise Java web shell that accepts commands through GET request parameters:<\/p>\n Once deployed, this web shell allows attackers to execute arbitrary system commands by accessing the uploaded JSP file with command parameters, effectively providing complete control over the compromised server.<\/p>\nPath Traversal Vulnerability\u00a0<\/strong><\/h2>\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcShnnFs5pqLoskenxFrcUMZAn0LI8m7g4nW-UpCT7cVZIkmAQwAuB64t1AEHurPOY7VPp2Ux1XkEamAYTjZUXJiTChDjBFGkwWCMCJCGaeZrysHpeMkRZLfNHYU1mAUrDJt10q5Q?key=4mJehQOll0NiBaJxX-Qnmw\")