Polyaxon Directory Traversal Vulnerability Allowing Unauthenticated Access to Sensitive System Files

A directory traversal vulnerability has been identified in Polyaxon, specifically in the latest version. This vulnerability allows unauthenticated attackers to access directory information and file contents from the server, bypassing authorization measures. The issue enables retrieval of sensitive files from system directories, such as '/etc', which could pose significant security risks by disclosing confidential information.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive system files, such as 'passwd' and 'shadow', which could be used to escalate privileges or compromise the system. Additionally, this vulnerability could be combined with another identified issue in Polyaxon, allowing for arbitrary file access within the permission scope, further exacerbating the security risks.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/streams/v1/polyaxon/default/s/runs/../artifacts/tree' endpoint, with a 'path' parameter that includes directory traversal sequences. The request must include the 'X-POLYAXON-SERVICE' header set to 'ui'. This will return a 200 status code and disclose directory information and file contents from the '/etc' directory on the server.