Embedded Web Server (.NET) - Potential Medium Security Vulnerability

CData is aware of a potential security issue that affects customers of CData applications who are running on Windows and using the .NET Embedded Web Server.

Date Entered: 06/13/2023    Last Updated: 06/13/2023

Summary

A potential medium security vulnerability has been identified that could force the application to serve files outside of the web server's "www" directory, potentially leading to requests being sent to a server of the attacker's choosing. A successful exploit of this vulnerability would require:

  • An attacker already possessing valid credentials to log into the application.
  • An attacker possessing knowledge of the file system or network infrastructure, in order to know how to properly form the request to target a file or network resource.
  • The application being hosted in the .NET Embedded Web server.
  • The application's process being run with an identity that would have access to the requested file.

Resolution

The CData Security Team has investigated this as a high-priority issue and has updated the Windows/.NET editions of all potentially affected products. The fix for this issue has been applied to the following builds:

If you are using a previous version of any of the listed applications, please upgrade to the latest release.


We appreciate your feedback.  If you have any questions, comments, or suggestions about this entry, please contact our support team at [email protected].