Horizon Alert
Summary of the vulnerability and why it matters
This advisory details a path traversal vulnerability in the Git Service component of Altium Enterprise Server and Altium 365. The flaw allows authenticated users to move files outside of their intended repositories, which can lead to remote code execution and, in multi-tenant environments, potential access to other tenants' data. This issue has been remediated in Altium 365 and fixed in a specific version of Altium Enterprise Server.
- An authenticated user can move files inappropriately.
- Could enable remote code execution and data access.
- Confirm relevance and exposure for affected systems.
Attack Path
How an attacker could exploit the issue
An attacker, already authenticated with basic Git access, can leverage a path traversal vulnerability in the Git Service component. This allows them to manipulate files outside the repository, potentially injecting malicious scripts that the service later executes. This could lead to remote code execution and, in multi-tenant environments, unauthorized access to other tenants' data.
- Authenticated user with Git access required.
- Move files to sensitive directories.
- Remote code execution and data access.
Live Threat
Current exploitation, exposure, and threat context
An authenticated user with basic Git access could exploit a path traversal vulnerability to move files outside the repository. This could allow them to place malicious scripts in executable locations, potentially leading to remote code execution under the Git Service account. On multi-tenant systems, this could also expose data belonging to other tenants.
- Arbitrary file movement by authenticated users.
- Malicious script placement for execution.
- Remote code execution or cross-tenant data access.
Operational Fix
Recommended remediation, mitigation, and detection steps
The Git Service component in Altium Enterprise Server and Altium 365 is affected by a path traversal vulnerability. Technical leaders should coordinate with application owners and infrastructure teams to identify all instances of the affected technology, assess their reachability and criticality, and determine the accountable owners for remediation planning.
- Identify affected Altium installations.
- Verify exploitability and business criticality.
- Plan remediation based on risk assessment.