Full Report
Appsmith is an open-source developer tool designed to help organizations build internal applications, such as dashboards, admin panels, and customer support tools. It has three roles - admin, developer and app viewer. Appsmith has datasources that allows applications to use information from various databases and other endpoints - many of these run locally. One of these, configured by default, is a PostgreSQL database. The configuration of this server allows for the logging into the database as any user without providing a password. This is done via a server-side connection. The interaction with PostgreSQL requires a valid account. Although the app requires an invitation for current workspaces, its default configuration allows for user signup! A user can then configure their own workspaces and application to expose the vulnerable functionality. The application, that the user is able to create, allows for login as the superuser of Postgres via the web console. Using this, it's possible to call cat /etc/passwd on a SQL query. Since this is the super user, it's effectively game over. There are two other bugs but this one was by far the most interesting. Good find!
Analysis Summary
# Vulnerability: Unauthenticated Access to PostgreSQL Superuser via Default Configuration and User-Created Applications in Appsmith
## CVE Details
- CVE ID: *Information not provided in the context article.*
- CVSS Score: *Not calculated/provided in the context article.*
- CWE: CWE-287 (Improper Authentication), CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - *Implied due to arbitrary command execution via query*)
## Affected Systems
- Products: Appsmith
- Versions: *Specific vulnerable versions not provided in the context article.* (Assumed prior to patch release)
- Configurations: Default installation configurations where:
1. Default user signup is enabled.
2. The default internal PostgreSQL datasource remains configured (allowing server-side connections without password authentication).
3. A malicious user creates an application exposing functionality allowing SQL queries against the default PostgreSQL instance.
## Vulnerability Description
The vulnerability arises from a chain of weak default configurations in Appsmith. Firstly, the default installation often allows uninvited user signups, enabling an attacker to create an account. Secondly, the default, locally running PostgreSQL datasource is configured in a manner that allows server-side connections to log in as **any user without a password**. A newly created malicious user can then build an application that leverages this vulnerable datasource connection. This connection allows the user to execute arbitrary SQL queries as the **PostgreSQL superuser**. The attacker can exploit this to execute OS commands, such as `cat /etc/passwd`, leading to full system compromise.
## Exploitation
- Status: PoC available (The article describes a clear method of exploitation that serves as a Proof of Concept).
- Complexity: Low (Leverages weak default configurations and an easy-to-trigger path via application creation).
- Attack Vector: Network (Requires initial account signup access, followed by application interaction).
## Impact
- Confidentiality: High (Access to sensitive system files like `/etc/passwd`, and potentially sensitive database records).
- Integrity: High (Ability to execute arbitrary OS commands as the superuser implies full system integrity compromise).
- Availability: High (Potential for system shutdown or data destruction).
## Remediation
### Patches
- *Specific patch version numbers are not provided in the context article.* Users must consult official Appsmith advisories for the patched version incorporating fixes for default configuration hardening and authentication bypass on internal services.
### Workarounds
- Immediately disable default user signups if required configuration hardening is not immediately possible.
- Audit and modify the default PostgreSQL datasource configuration to enforce strong authentication (password/secrets management) for server-side connections.
- Restrict network access to the internal PostgreSQL instance if possible, only allowing necessary internal Appsmith services to connect.
## Detection
- Indicators of Compromise:
- Unusual database queries originating from the Appsmith internal application framework that attempt to read OS files (e.g., `cat /etc/passwd` in SQL commands).
- Logs showing PostgreSQL connections established without valid credentials (check server-side connection logs).
- Detection methods and tools:
- Database activity monitoring tools inspecting SQL commands executed against the internal PostgreSQL instance.
- Web Application Firewalls (WAFs) or endpoint detection tools monitoring for attempts to read sensitive files on the server hosting Appsmith after query execution is confirmed.
## References
- *Vendor advisories are not provided in the context article.*