-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.kyuubi:kyuubi-server_2.12 | maven | >= 1.6.0, < 1.10.3 | 1.10.3 |
Miggo AIRoot Cause AnalysisThe vulnerability description indicates a path traversal issue in Apache Kyuubi, where the kyuubi.session.local.dir.allow.list configuration can be bypassed. The fix is in version 1.10.3. By comparing the git tags for version 1.10.2 and 1.10.3, I identified a commit da728ba212f7c413ccf0894d23eebec96253417e with the message "Normalize local path in Kyuubi server".
Analysis of this commit's changes reveals a modification in the kyuubi-server/src/main/scala/org/apache/kyuubi/engine/KyuubiApplicationManager.scala file, specifically within the checkApplicationAccessPath function. The patch introduces path normalization by changing uri.getPath.startsWith(_) to Paths.get(uri.getPath).normalize.startsWith(_).
The lack of path normalization is a classic path traversal vulnerability. Before the patch, a path like /allowed/path/../../unauthorized/file would pass the startsWith("/allowed/path") check but would ultimately access a file outside the intended directory. The introduction of normalize() resolves such ../ sequences, ensuring the canonical path is checked against the allow list, thereby mitigating the vulnerability. The associated test file also adds a case to confirm that paths containing .. are now correctly blocked, providing further evidence that this change is the security fix.
org.apache.kyuubi.engine.KyuubiApplicationManager.checkApplicationAccessPathkyuubi-server/src/main/scala/org/apache/kyuubi/engine/KyuubiApplicationManager.scala