CVE-2024-55604
📋 TL;DR
Appsmith versions before 1.51 allow users with 'App Viewer' permissions to list datasources in workspaces they're invited to, which constitutes an information disclosure vulnerability. This affects organizations using Appsmith where external users are granted viewer access to workspaces. The vulnerability does not expose sensitive credentials within datasources.
💻 Affected Systems
- Appsmith
📦 What is this software?
Appsmith by Appsmith
⚠️ Risk & Real-World Impact
Worst Case
An attacker with viewer access could map all datasources in a workspace, potentially identifying sensitive systems or preparing for further attacks by understanding the application architecture.
Likely Case
Internal or external users with viewer permissions gain visibility into workspace datasource configurations that should be restricted to developers, potentially violating internal data governance policies.
If Mitigated
With proper access controls and monitoring, the impact is limited to unauthorized visibility of datasource names/types without exposing actual credentials or data.
🎯 Exploit Status
Exploitation requires authenticated access as an 'App Viewer' user who has been invited to a workspace.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.51
Vendor Advisory: https://github.com/appsmithorg/appsmith/security/advisories/GHSA-794x-gm8v-2wj6
Restart Required: Yes
Instructions:
1. Backup your Appsmith instance. 2. Update to Appsmith version 1.51 or later. 3. Restart the Appsmith service. 4. Verify the update was successful.
🧯 If You Can't Patch
- Review and audit all 'App Viewer' user permissions across workspaces
- Implement network segmentation to restrict access to Appsmith instances from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check Appsmith version via admin panel or by inspecting the application metadata. If version is below 1.51, the system is vulnerable.Check Version:
Check Appsmith admin panel or run: docker exec <container_name> cat /opt/appsmith/version.txtVerify Fix Applied:
After updating to version 1.51 or later, verify that 'App Viewer' users can no longer list datasources in workspaces they have access to.📡 Detection & Monitoring
Log Indicators:
- Unusual API calls to datasource listing endpoints from viewer-role accounts
- Multiple failed permission checks followed by successful datasource enumeration
Network Indicators:
- Increased API calls to /api/v1/datasources endpoints from non-admin accounts
SIEM Query:
source="appsmith" AND (uri_path="/api/v1/datasources" OR uri_path="/api/v1/workspaces/*/datasources") AND user_role="viewer"