A major safety vulnerability has been found in Denodo Scheduler, a knowledge administration software program element, that permits attackers to execute distant code on affected methods.
The flaw, recognized as CVE-2025-26147, exploits a path traversal vulnerability within the Kerberos authentication configuration characteristic, probably compromising the safety of enterprise knowledge administration infrastructure.
Path Traversal Vulnerability
The vulnerability impacts Denodo Scheduler model 8.0.202309140, a Java-based internet utility that gives time-based job scheduling for knowledge extraction and integration operations.
The safety flaw resides within the Kerberos authentication configuration performance, particularly within the keytab file add mechanism.
When directors try and add keytab recordsdata which retailer service principal credentials for Kerberos authentication the appliance fails to correctly validate the filename parameter in multipart type knowledge POST requests.
Attackers can exploit this weak spot by manipulating the filename attribute within the Content material-Disposition HTTP header utilizing listing traversal sequences.
A malicious payload resembling filename=”../../../../decide/denodo/malicious.file.txt” allows unauthorized file uploads to arbitrary areas on the server’s filesystem.
Whereas the appliance appends a timestamp to uploaded filenames (e.g., malicious.file-1711156561716.txt), this timestamp is returned to the consumer through HTTP response, eliminating the necessity for attackers to guess the precise filename.
The trail traversal vulnerability turns into critically harmful when mixed with the appliance’s Apache Tomcat deployment setting.
Safety researchers recognized that the net server’s root listing at /path/to/webroot/sources/apache-tomcat/webapps/ROOT/ offers a really perfect goal for malicious file placement.
By importing a JavaServer Pages (JSP) internet shell to this location, attackers can obtain full distant code execution capabilities.
The researchers demonstrated the assault utilizing a concise Java internet shell that accepts instructions by way of GET request parameters:
As soon as deployed, this internet shell permits attackers to execute arbitrary system instructions by accessing the uploaded JSP file with command parameters, successfully offering full management over the compromised server.
Danger FactorsDetailsAffected ProductsDenodo Scheduler (v8.0.202309140)ImpactRemote Code Execution (RCE) Exploit PrerequisitesAdministrative entry to configure Kerberos authenticationAbility to add malicious keytab filesApache Tomcat deployment environmentCVSS 3.1 Score8.8 (Excessive)
Mitigations
Rhino Safety Labs, the safety agency that found the vulnerability, reported the problem to Denodo on April 9, 2024.
The seller demonstrated exemplary response time, acknowledging the vulnerability and releasing a safety patch on April 23, 2024 simply 14 days after preliminary disclosure.
The vulnerability has been addressed in Denodo 8.0 replace 20240307, and organizations utilizing affected variations ought to instantly apply this safety replace.
This incident underscores the essential significance of implementing safe coding practices, significantly round file add performance and enter validation.
The vulnerability’s development from a easy path traversal flaw to distant code execution functionality highlights how seemingly minor safety oversights can result in full system compromise.
Organizations using Denodo Scheduler ought to prioritize patch deployment and conduct safety assessments of their knowledge administration infrastructure to make sure complete safety towards comparable assault vectors.
Discover this Information Attention-grabbing! Observe us on Google Information, LinkedIn, & X to Get Immediate Updates!
