TB122 Command Injection Vulnerability in the Continuous Data and Continuous Compliance Engines - CVE-2024-6726
Alert Type
Security
Impact
Severity (NVD): High
Delphix CVSS v3.1 Score: 8.8
Delphix CVSS v3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector – Network
Attack Complexity – Low
Privileges Required – Low
User Interaction – None
Scope – Unchanged
Confidentiality – High
Integrity – High
Availability – High
An authenticated user with the “Provisioner” or “Owner” role on a dataset group can inject specially crafted commands into the “sourceConfig.path” parameter of the “database/createEmpty” API for the Delphix Continuous Data or Continous Compliance Engine. These commands are executed as root, resulting in a privilege escalation.
Affected Products and Versions
Continuous Data (formerly Virtualization)
Continuous Data has a variety of functional deployments. Depending on the deployment you’re using, the impact may differ.
|
Configuration |
Affected |
|---|---|
|
Continuous Data |
Yes |
|
Cloud Engine |
Yes |
|
Continuous Vault |
Yes |
| Self Service (Jet Stream) | No |
All supported releases prior to 24.0.0.0 (including 24.0.0.0)
Continuous Compliance (formerly Masking)
All supported releases prior to 24.0.0.0 (including 24.0.0.0)
Containerized Masking
N/A
Hyperscale Compliance
N/A
Data Control Tower
N/A
Delphix Compliance Services
N/A
Mitigation
Upgrade to a version of the product that does not contain this vulnerability.
Resolution
Resolved in DevOps Data Platform version 25.0.0.0 and later releases for the Continuous Data Engines and Continuous Compliance Engines.