ArcadeDB Cross-Database Authorization Bypass Vulnerability

A vulnerability in ArcadeDB prior to version 2.6.4 allows authenticated users and API tokens scoped to a specific database to read, write, and modify the schema of any other database on the same server. This issue arises from two defects: first, the 'ServerSecurityUser.getDatabaseUser()' method returned a database user with an uninitialized file access map, which was interpreted as an allow-all permission. Second, the 'ArcadeDBServer.createDatabase()' method failed to initialize database security, leaving the record-level authorization system disabled for newly created databases. As a result, both record-level and database-level authorization could be bypassed by any authenticated user or token.

Impact

Exploitation of this vulnerability allows for a complete bypass of both record-level and database-level authorization, enabling unauthorized read, write, and schema modification actions across databases on the same server.

Reproduction

To reproduce this vulnerability, first create a database and a read-only API token scoped to that database. Then, use the token to attempt to insert data or modify the schema in a different database on the same server. The token should be able to perform these actions, demonstrating the cross-database authorization bypass.

Remediation

Users are advised to upgrade to ArcadeDB version 2.6.4, where this vulnerability has been fixed.