DbGate Unauthorized File Access Vulnerability in CSV Plugin
Vulnerability
A vulnerability in DbGate versions through 6.6.0 has been identified, allowing unauthorized access to files on the system. This issue arises from inadequate validation of file paths and types in the DbGate CSV plugin. Users with application-level access can read data from arbitrary files, including sensitive files like '/etc/shadow', regardless of their location or file type. The vulnerability exists because the plugin does not properly check content types and file extensions before accessing files, enabling the reading of files restricted to the root user through the application interface.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the system, potentially including files that contain critical system or user information.
Reproduction
To reproduce this vulnerability, send a POST request to the '/runners/load-reader' endpoint with a payload that includes the name of a file that should not be accessible, such as '/etc/shadow'. The request must include an authorization token and can be made using a web browser or a tool like curl.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.