Arcane Missing Admin Authorization Vulnerability Allows Git Credential Exfiltration

A vulnerability in Arcane's REST API prior to version 1.19.0 allows non-admin users to access and manipulate Git repository configurations, including exfiltrating stored Git credentials. This issue arises because eight out of nine Git repository management endpoints do not enforce admin role checks, leaving a gap that authenticated users with default roles can exploit. By redirecting a repository's URL to an attacker-controlled host and omitting certain authentication fields, an attacker can intercept decrypted personal access tokens or SSH keys during routine API calls, effectively bypassing Arcane's security measures and compromising GitHub or GitLab accounts.

Impact

Exploitation of this vulnerability leads to unauthorized access to and exfiltration of encrypted Git credentials, which are then transmitted in cleartext to an attacker-controlled URL. This not only allows for the interception of sensitive authentication tokens and SSH keys but also enables unauthorized manipulation of Git repository configurations. Such actions could disrupt GitOps workflows, cause denial-of-service on production pipelines, and inject malicious content into deployments by exploiting trusted Git sources.

Reproduction

1. Authenticate as a user with default 'user' role. 2. Access the Git repository management endpoints that lack admin checks. 3. Identify a repository and update its URL to point to an attacker-controlled host, while leaving the token or SSH key fields empty. 4. Once the URL is updated, use an endpoint that triggers the decryption of the stored credentials, such as the 'test' or 'browseFiles' endpoint. 5. The application will send the decrypted credentials to the attacker-controlled host, completing the exfiltration process.

Remediation

Users are advised to update Arcane to version 1.19.0 or later, where this vulnerability has been addressed.