Apache Polaris Temporary Storage Credential Vending Vulnerability

A vulnerability in Apache Polaris prior to 1.4.1 allows authenticated low-privileged users to exploit the staged table creation process. During this process, broad temporary storage credentials are issued before the effective table location has been validated or durably reserved. This flaw enables attackers to direct the scope of accessible table data and metadata by choosing a reachable target location. The vulnerability arises because the stage-create path does not perform the usual location validation or overlap checks before issuing credentials. Additionally, the staged-create flow accepts attacker-influenced location inputs through 'write.data.path' and 'write.metadata.path' request properties, which are also not properly validated before credential vending.

Impact

Exploitation of this vulnerability allows for the unauthorized issuance of temporary storage credentials that can be directed towards an attacker-chosen location, potentially leading to unauthorized access to table data and metadata.

Reproduction

To reproduce this vulnerability, an authenticated low-privileged user can initiate a staged table creation process in Apache Polaris. During this process, the user should supply a custom location and request credential vending. The application will issue temporary storage credentials for the specified location without performing the necessary validation or overlap checks. This vulnerability can also be reproduced by using the 'write.data.path' or 'write.metadata.path' request properties to override the effective table location, as these inputs are also accepted without proper validation.