Arcane Command Injection Vulnerability in Updater Service Allows Remote Code Execution

A command injection vulnerability has been identified in the updater service of Arcane, a modern Docker management tool, in versions prior to 1.13.0. The issue arises from lifecycle labels that allow users to define commands to be executed before or after a container update. These label values are passed directly to the shell without any sanitization or validation. Since any authenticated user can create projects through the API, an attacker could specify a malicious command in the lifecycle label. When an administrator triggers a container update, the command is executed within the container. This vulnerability could lead to remote code execution, especially if the container has host volume mounts that allow access to the host filesystem.

Impact

Exploitation of this vulnerability allows for remote code execution within the context of the updated container. If the container has host volume mounts, the executed command could access the host filesystem, potentially leading to data theft or, in some cases, a full host compromise.

Reproduction

To reproduce this vulnerability, an authenticated user can create a project through the Arcane API that includes a malicious command in the 'pre-update' or 'post-update' lifecycle label. Once the project is created, an administrator can trigger a container update, either manually or through a scheduled update check. During the update process, Arcane will execute the command specified in the lifecycle label as a shell command inside the container, thereby exploiting the command injection vulnerability.

Remediation

Users can update to Arcane version 1.13.0 or later, where this vulnerability has been fixed.