Arcane Docker Compose Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability has been identified in Arcane, a tool for managing Docker resources. This issue affects versions through 1.19.3. The vulnerability arises because the ProjectService.GetProjectFileContent method reads Docker Compose include directives without proper path validation. An authenticated user can exploit this by creating a project with a compose file that includes a malicious directive, such as one pointing to the etc/passwd file. Once the project is created, the user can access the included file through the project file API. This flaw allows access to any file readable by the Arcane backend process, including sensitive files like the SQLite database containing user password hashes and API keys. Exploiting this vulnerability could lead to unauthorized admin access and, through Arcane's Docker control plane, remote code execution on the host.

Impact

Exploitation of this vulnerability allows authenticated users to arbitrarily read files on the host that are accessible to the Arcane backend process. This includes sensitive files such as the Arcane SQLite database, which contains password hashes and API keys for all users, including admins. Such access could be used to escalate privileges to admin and, via Arcane's Docker control plane, execute code on the host.

Reproduction

To reproduce this vulnerability, an authenticated user can create a project in Arcane with a Docker Compose file that includes a directive pointing to a sensitive file, such as ../../../../etc/passwd. After the project is created, the user can use the project file API to access the included file, bypassing any path validation.

Remediation

Users can update to Arcane version 1.19.4 or later, where this vulnerability has been fixed.