Altium Enterprise Server Viewer Path Traversal Vulnerability in StorageController

A path traversal vulnerability has been identified in the Altium Enterprise Server Viewer component, specifically within the StorageController. This vulnerability arises from improper handling of file path parameters in API requests. In on-premise deployments that utilize local filesystem storage, an authenticated user can send a URL-encoded absolute path, such as an encoded drive letter, through the Viewer storage API. This manipulation causes the designated storage root to be ignored, enabling access to arbitrary files on the server's filesystem. Exploitation of this vulnerability allows access to sensitive files, including the server's master configuration, which contains database credentials, signing key locations, certificate passwords, and OAuth secrets. As a result, this vulnerability could lead to the disclosure of all server secrets and a complete compromise of the server and its data. It is important to note that cloud deployments are not affected, as they rely on object storage and do not activate this component.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive server files, including database credentials and other confidential information, leading to a full compromise of the server and its data.