Dify Default Credentials Vulnerability Allowing Database Access and Potential Code Execution

A vulnerability exists in Dify versions through 1.5.1, where default PostgreSQL credentials are hardcoded in the docker-compose.yaml file. The default username is 'postgres' and the password is 'difyai123456'. If the PostgreSQL service is exposed to the internet, an attacker can gain unauthorized access to the database. This access could lead to the disclosure of sensitive information, unauthorized data manipulation, and, with superuser privileges, the execution of arbitrary commands on the database host.

Impact

Exploitation of this vulnerability allows unauthorized access to the PostgreSQL database, with the potential to read, modify, or delete data. Additionally, if an attacker gains superuser access, they could execute arbitrary commands on the host system where the database is running.

Reproduction

To reproduce this vulnerability, deploy Dify using the default docker-compose.yaml file from a version through 1.5.1, without changing the default environment variables. Ensure that port 5432, used by PostgreSQL, is accessible from the internet. After deployment, use the default credentials to log into the PostgreSQL database from a remote machine. A successful login confirms the vulnerability.

Remediation

Users should change the default PostgreSQL password to a strong, unique value and ensure that port 5432 is not exposed to the internet. Dify can be updated to a version that addresses this vulnerability.