A significant security vulnerability has been discovered in Denodo Scheduler, a data management software component, that allows attackers to execute remote code on affected systems. 

The flaw, identified as CVE-2025-26147, exploits a path traversal vulnerability in the Kerberos authentication configuration feature, potentially compromising the security of enterprise data management infrastructure.

Path Traversal Vulnerability 

The vulnerability affects Denodo Scheduler version 8.0.202309140, a Java-based web application that provides time-based job scheduling for data extraction and integration operations. 

The security flaw resides in the Kerberos authentication configuration functionality, specifically in the keytab file upload mechanism. 

When administrators attempt to upload keytab files which store service principal credentials for Kerberos authentication the application fails to properly validate the filename parameter in multipart form data POST requests.

Attackers can exploit this weakness by manipulating the filename attribute in the Content-Disposition HTTP header using directory traversal sequences. 

A malicious payload such as filename=”../../../../opt/denodo/malicious.file.txt” enables unauthorized file uploads to arbitrary locations on the server’s filesystem. 

While the application appends a timestamp to uploaded filenames (e.g., malicious.file-1711156561716.txt), this timestamp is returned to the user via HTTP response, eliminating the need for attackers to guess the exact filename.

The path traversal vulnerability becomes critically dangerous when combined with the application’s Apache Tomcat deployment environment. 

Security researchers identified that the web server’s root directory at /path/to/webroot/resources/apache-tomcat/webapps/ROOT/ provides an ideal target for malicious file placement. 

By uploading a JavaServer Pages (JSP) web shell to this location, attackers can achieve complete remote code execution capabilities.

The researchers demonstrated the attack using a concise Java web shell that accepts commands through GET request parameters:

Once deployed, this web shell allows attackers to execute arbitrary system commands by accessing the uploaded JSP file with command parameters, effectively providing complete control over the compromised server.

Risk FactorsDetailsAffected ProductsDenodo Scheduler (v8.0.202309140)ImpactRemote Code Execution (RCE) Exploit PrerequisitesAdministrative access to configure Kerberos authenticationAbility to upload malicious keytab filesApache Tomcat deployment environmentCVSS 3.1 Score8.8 (High)

Mitigations

Rhino Security Labs, the security firm that discovered the vulnerability, reported the issue to Denodo on April 9, 2024. 

The vendor demonstrated exemplary response time, acknowledging the vulnerability and releasing a security patch on April 23, 2024 just 14 days after initial disclosure. 

The vulnerability has been addressed in Denodo 8.0 update 20240307, and organizations using affected versions should immediately apply this security update.

This incident underscores the critical importance of implementing secure coding practices, particularly around file upload functionality and input validation. 

The vulnerability’s progression from a simple path traversal flaw to remote code execution capability highlights how seemingly minor security oversights can lead to complete system compromise. 

Organizations utilizing Denodo Scheduler should prioritize patch deployment and conduct security assessments of their data management infrastructure to ensure comprehensive protection against similar attack vectors.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!