Embedded Web Server (.NET) - Potential Medium Security Vulnerability

CData is aware of a potential security issue that affects customers of CData applications who are running on Windows and using the .NET Embedded Web Server.

Date Entered: 06/13/2023 Last Updated: 06/13/2023

Summary

A potential medium security vulnerability has been identified that could force the application to serve files outside of the web server's "www" directory, potentially leading to requests being sent to a server of the attacker's choosing. A successful exploit of this vulnerability would require:

An attacker already possessing valid credentials to log into the application.
An attacker possessing knowledge of the file system or network infrastructure, in order to know how to properly form the request to target a file or network resource.
The application being hosted in the .NET Embedded Web server.
The application's process being run with an identity that would have access to the requested file.

Resolution

The CData Security Team has investigated this as a high-priority issue and has updated the Windows/.NET editions of all potentially affected products. The fix for this issue has been applied to the following builds:

If you are using a previous version of any of the listed applications, please upgrade to the latest release.

We appreciate your feedback. If you have any questions, comments, or suggestions about this entry, please contact our support team at support@cdata.com.

CData Software is a leading provider of data access and connectivity solutions. Our standards-based connectors streamline data access and insulate customers from the complexities of integrating with on-premise or cloud databases, SaaS, APIs, NoSQL, and Big Data.

Connect With Us

Get Started

Data Connectors

ETL/ ELT Solutions

Cloud & API Connectivity

OEM & Custom Drivers

Connect With Us

Get Started

Data Visualization

Company

Resources