Multiple flaws in CData Jerry server products enable security control bypass

A security vulnerability has been identified in the Java versions of several CData software products when utilized with the embedded Jetty server, leading to potential unauthorized data access and system actions.

The vulnerability is affecting CData Sync, CData API Server, CData Arc and CData Connect could enable remote attackers to access sensitive information and perform unauthorized actions on the affected system. The issue stems from the interaction between the embedded Jetty server and the CData servlets' handling of incoming requests, which can result in a path traversal problem.

This allows an attacker to alter the request path to gain access to directories on the system that were not intended to be accessible.

Two vulnerabilities have been assigned CVE identifiers:

• CVE-2024-31848 (CVSS score 9.8) affects CData API Server versions prior to 23.4.8844 for Java, where the embedded Jetty server's improper path validation allows unauthenticated remote attackers to access arbitrary files on the system, potentially leading to complete administrative control.
• CVE-2024-31849 (CVSS score 9.8) impacts CData Connect, where versions before 23.4.8846 are susceptible to a critical path traversal attack, allowing unauthenticated, remote attackers to exploit directory traversal functionality for complete administrative access.
• CVE-2024-31850 (CVSS score 8.6) affects CData Arc to a path traversal attack in its Java application versions prior to 23.4.8839, enabling remote, unauthenticated attackers to access sensitive data and possibly undertake limited actions on the system.
• CVE-2024-31851 (CVSS score 8.6) affects CData Sync

CData has released updates on March 25, 2024, to mitigate the vulnerability, with a public advisory published on April 5, 2024.