ArcadeDB Trigger Script RCE via Java.lang.* Allow-list
A vulnerability in ArcadeDB's ScriptTriggerExecutor allows users with UPDATE_SCHEMA privileges to achieve OS Remote Code Execution (RCE) due to a permissive allow-list for trigger scripts, enabling direct calls to `java.lang.Runtime.exec()` when a malicious trigger script is created and fired.
What's new
- l2 merged source coverage: ArcadeDB Scripting Authorization Bypass via SQL DEFINE FUNCTION Jul 16, 20:22 via ghsa
A high-severity vulnerability has been identified in ArcadeDB, affecting versions prior to 26.7.2. The ScriptTriggerExecutor component, responsible for executing trigger scripts, includes java.lang.* in its allowed packages. This oversight permits an authenticated attacker with UPDATE_SCHEMA privileges (a schema administrator) to craft and deploy a malicious JavaScript trigger. When such a trigger fires, it can invoke java.lang.Runtime.exec(), leading to arbitrary operating system command execution on the host server where ArcadeDB is running. This effectively escalates privileges from a database schema administrator to remote code execution on the underlying operating system, posing a significant risk to the integrity and confidentiality of the host system and the data stored within ArcadeDB.
Attack Chain
- An attacker gains
UPDATE_SCHEMAadministrative privileges within an ArcadeDB instance. - The attacker crafts a malicious database trigger script that includes an OS command execution payload.
- The attacker registers this malicious trigger within ArcadeDB using the
CREATE TRIGGER ... EXECUTE JAVASCRIPTcommand. - The JavaScript payload within the trigger leverages the permissive
java.lang.*allow-list to callJava.type("java.lang.Runtime").getRuntime().exec(...). - The crafted trigger is saved into the database schema, awaiting its activation conditions.
- A subsequent database operation or event occurs that satisfies the conditions for the newly created malicious trigger to fire.
- The ArcadeDB
ScriptTriggerExecutorprocesses the trigger, and due tojava.lang.*being in the allow-list, thejava.lang.Runtime.exec()call is permitted. - The attacker's specified operating system commands are executed on the host server with the privileges of the ArcadeDB process, achieving remote code execution.
Impact
Successful exploitation of this vulnerability results in arbitrary remote code execution on the server hosting ArcadeDB. This allows an attacker to completely compromise the underlying operating system, potentially leading to data exfiltration, deletion, or modification of any data accessible by the ArcadeDB process. While it requires an attacker to first obtain UPDATE_SCHEMA privileges, the RCE then allows for privilege escalation from a schema administrator role to full system control. The compromise can affect any operating system ArcadeDB is deployed on, including Windows, Linux, and macOS.
Recommendation
- Upgrade ArcadeDB installations immediately to version 26.7.2 or later to apply the official patch.
- Review and ensure strict access controls are in place for users assigned
UPDATE_SCHEMAprivileges. - Administrators should monitor database logs for suspicious
CREATE TRIGGERstatements that includeJAVASCRIPTexecution.