lakeFS Path Traversal Vulnerability in Local Block Adapter Allows Cross-Namespace and Sibling Directory Access

A path traversal vulnerability has been identified in lakeFS versions prior to 1.77.0, specifically within the local block adapter. This vulnerability allows authenticated users to read and write files outside their designated storage boundaries. The issue arises from insufficient path validation, which only checked for prefixes without requiring path separators, enabling access to sibling directories with similar names. Additionally, the adapter failed to properly verify that object identifiers remained within their assigned storage namespaces, allowing attackers to exploit path traversal sequences to access files in other namespaces.

Impact

Exploitation of this vulnerability could lead to unauthorized access to files across different namespaces, allowing users to read sensitive data or write malicious files to other repositories. The vulnerability also permits access to sibling directories outside of lakeFS storage, potentially leading to privilege escalation if writable directories are used by other services.

Reproduction

The vulnerability can be reproduced by sending requests to the lakeFS local block adapter with object identifiers that include path traversal sequences. This can be done by manipulating the 'StorageNamespace' and 'Identifier' fields in the 'ObjectPointer' structure. The local block adapter will resolve the paths and, due to the inadequate validation, allow access to files outside the intended namespace or storage directory.

Remediation

Users can update to lakeFS version 1.77.0, which addresses the vulnerability by implementing proper path validation. Instructions for downloading the latest version are available on the lakeFS GitHub releases page.