IceScrum Remote Code Execution Vulnerability in Postgres JDBC Driver

A remote code execution vulnerability has been identified in the Postgres Drivers component of IceScrum version 7.54 Pro On-prem. This vulnerability allows attackers to execute arbitrary code by sending a crafted JDBC connection string through the testDbConnection HTTP endpoint. The endpoint does not have adequate Cross-Site Request Forgery (CSRF) protections, enabling an unauthenticated attacker to manipulate an authenticated user into submitting the malicious JDBC string, which is then executed on the server with the privileges of the running process.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where IceScrum is running, with the same privileges as the process executing IceScrum.

Reproduction

To reproduce this vulnerability, an authenticated user must be coerced into clicking a link that sends a crafted JDBC connection string to the testDbConnection HTTP endpoint. This can be done by an unauthenticated attacker taking advantage of the endpoint's lack of CSRF protection. Once the malicious JDBC string is submitted, the server will execute the embedded code, leading to remote code execution.

Remediation

Users are advised to update to a version of IceScrum that is not affected by this vulnerability. Organizations should apply security patches as soon as possible.