Vulnerabilities

D-Link DIR-456U Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /etc/init0.d/S80telnetd.sh with the username "Alphanetworks" and the static password "whdrv01_dlob_dir456U" read from /etc/config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.

Apache Polaris can issue broad temporary ("vended") storage credentials during<br /> staged<br /> table creation before the effective table location has been validated or<br /> durably reserved. <br /> Those temporary credentials are meant to limit the scope<br /> of<br /> accessible table data and metadata, but this scope limitation becomes<br /> attacker-<br /> directed because the attacker can choose a reachable target location.<br /> <br /> <br /> <br /> In the confirmed variant, if the caller supplies a custom `location` during<br /> stage create and requests credential vending, Apache Polaris uses that location to<br /> construct delegated storage credentials immediately. The stage-create path<br /> itself neither runs the normal location validation nor the overlap checks<br /> before those credentials are issued.<br /> <br /> <br /> <br /> Closely related to that, the staged-create flow also accepts<br /> `write.data.path` / `write.metadata.path` in the request properties and<br /> feeds<br /> those location overrides into the same effective table location set used for<br /> credential vending. Those fields are secondary to the main custom-`location`<br /> exploit, but they are still attacker-influenced location inputs that should<br /> be<br /> validated before any credentials are issued.

Apache Polaris accepts literal `*` characters in namespace and table names. When it<br /> later builds temporary S3 access policies for delegated table access, those<br /> same characters appear to be reused unescaped in S3 IAM resource patterns<br /> and<br /> `s3:prefix` conditions.<br /> <br /> <br /> <br /> In S3 IAM policy matching, `*` is treated as a wildcard rather than as<br /> ordinary text. That means temporary credentials issued for one crafted table<br /> can match the storage path of a different table.<br /> <br /> <br /> <br /> In private testing against Polaris 1.4.0 using Polaris&amp;#39; AWS S3 temporary-<br /> credential path on both MinIO and real AWS S3, credentials returned for<br /> crafted tables such as `f*.t1`, `f*.*`, `*.*`, and `foo.*` could reach other<br /> tables&amp;#39; S3 locations.<br /> <br /> <br /> The confirmed behavior includes:<br /> <br /> <br /> - reading another table&amp;#39;s metadata control file ([Iceberg metadata JSON]);<br /> <br /> - listing another table&amp;#39;s exact S3 table prefix ([table prefix]);<br /> <br /> - and, when write delegation was returned for the crafted table, creating<br /> and<br /> deleting an object under another table&amp;#39;s exact S3 table prefix.<br /> <br /> <br /> <br /> A control case using ordinary different names did not allow the same<br /> cross-table access.<br /> <br /> <br /> <br /> A least-privilege AWS S3 variant was also confirmed in which the attacker<br /> principal had no Polaris permissions on the victim table and only the<br /> minimal permissions required to create and use a crafted wildcard table<br /> (namespace-scoped `TABLE_CREATE` and `TABLE_WRITE_DATA` on `*`). In that<br /> setup, direct Polaris access to `foo.t1` remained forbidden, but the<br /> attacker<br /> could still create and load `*.*`, receive delegated S3 credentials, and use<br /> those credentials to list, read, create, and delete objects under `foo.t1`.<br /> <br /> <br /> <br /> In Iceberg, the metadata JSON file is a control file: it tells readers which<br /> data files belong to the table, which snapshots exist, and which table<br /> version<br /> to read. So unauthorized access to it is already a meaningful<br /> confidentiality<br /> problem. The confirmed write-capable variant means the issue is not limited<br /> to<br /> disclosure.

In plain terms, Apache Polaris is supposed to issue short-lived GCS credentials<br /> that<br /> only work for one table&amp;#39;s files, but a crafted namespace or table name can<br /> cause those credentials to work across the configured bucket instead.<br /> <br /> <br /> Apache Polaris builds Google Cloud Storage downscoped credentials by creating a<br /> Credential Access Boundary (CAB) with CEL conditions that are intended to<br /> restrict access to the requested table&amp;#39;s storage path.<br /> <br /> <br /> <br /> The relevant CEL string is built from the bucket name and the table path.<br /> That<br /> table path is derived from namespace and table identifiers. In current code,<br /> that path appears to be inserted into the CEL expression without escaping.<br /> <br /> <br /> <br /> As a result, a namespace or table identifier containing a single quote and<br /> other URI-safe CEL fragments can break out of the intended quoted string and<br /> change the meaning of the CEL condition.<br /> <br /> <br /> <br /> In private testing against Polaris 1.4.0 on real Google Cloud Storage, it was confirmed that Polaris accepted a crafted identifier and returned delegated<br /> GCS<br /> credentials whose CEL path restriction had effectively collapsed.<br /> <br /> <br /> Those delegated credentials could then:<br /> <br /> <br /> - list another table&amp;#39;s object prefix;<br /> <br /> - read another table&amp;#39;s metadata control file (Iceberg metadata JSON);<br /> <br /> - create and delete an object under another table&amp;#39;s object prefix;<br /> <br /> - and also list, read, create, and delete objects under an unrelated<br /> external<br /> prefix in the same bucket that was not part of any table path.<br /> <br /> <br /> <br /> That last point is important. The issue is not limited to "another table".<br /> In<br /> the confirmed setup, once Apache Polaris returned credentials for the crafted<br /> table,<br /> the path restriction inside the configured bucket was effectively gone.<br /> <br /> The practical effect is that temporary credentials for one crafted table<br /> can be<br /> broader than the table Polaris was asked to authorize, and can become<br /> effectively bucket-wide within the configured bucket.<br /> <br /> <br /> <br /> The current GCS testing used a Polaris principal with broad catalog<br /> privileges for setup. A separate least-privilege Polaris RBAC variant<br /> has not yet been tested on GCS. However, the storage-credential<br /> broadening behavior itself has been confirmed on GCS.

In Apache Iceberg, the table&amp;#39;s metadata files are control files: they tell readers<br /> which data files belong to the table and which table version to read.<br /> <br /> <br /> <br /> `write.metadata.path` is an optional table property that tells Polaris<br /> where to<br /> write those metadata files. <br /> For a table already registered in a<br /> Polaris-managed<br /> catalog, changing only that property through an `ALTER TABLE`-style settings<br /> change (not a row-level `INSERT`, `SELECT`, `UPDATE`, or `DELETE`) bypasses<br /> the commit-time branch that is supposed to revalidate storage locations.<br /> <br /> The full persisted / credential-vending variant requires the affected<br /> catalog<br /> to have `polaris.config.allow.unstructured.table.location=true`, with<br /> `allowedLocations` broad enough to include the attacker-chosen target.<br /> <br /> <br /> `allowedLocations` is the admin-configured allowlist of storage paths that<br /> the<br /> catalog is allowed to use. Public project materials suggest that this flag<br /> is a<br /> real supported compatibility / layout mode, not just a contrived lab-only<br /> prerequisite.<br /> <br /> <br /> In that configuration, a user who can change table settings can cause Apache Polaris<br /> itself to write new table metadata to an attacker-chosen reachable storage<br /> location before the intended location-validation branch runs.<br /> <br /> If the later concrete-path validation also accepts that location, Polaris<br /> persists the resulting metadata path into stored table state. Later<br /> table-load<br /> and credential APIs can then return temporary cloud-storage credentials for<br /> the<br /> same location without revalidating it. In plain terms, Polaris can later<br /> hand<br /> out temporary storage access for the same attacker-chosen area.<br /> <br /> That attacker-chosen area does not need to be limited to the poisoned<br /> table&amp;#39;s<br /> own files. If it is a broader storage prefix, another table&amp;#39;s prefix, or,<br /> depending on configuration or provider behavior, even a bucket/container<br /> root,<br /> the resulting disclosure or corruption scope can extend to any data and<br /> metadata Polaris can reach there.<br /> <br /> <br /> <br /> The practical consequences are therefore similar to the staged-create<br /> credential-vending issue already discussed: data and metadata reachable in<br /> that<br /> storage scope can be exposed and, if write-capable credentials are later<br /> issued, modified, corrupted, or removed. Even before that later credential<br /> step, Polaris itself performs the metadata write to the unchecked location.<br /> <br /> So the core issue is not only later credential vending. <br /> <br /> The primary defect<br /> is<br /> that Polaris skips its intended location checks before performing a<br /> security-<br /> sensitive metadata write when only `write.metadata.path` changes.<br /> <br /> <br /> <br /> When `polaris.config.allow.unstructured.table.location=false`, current code<br /> review suggests the later `updateTableLike(...)` validation usually rejects<br /> out-of-tree metadata locations before the unsafe path is persisted. That may<br /> reduce the persisted / credential-vending variant, but it does not prevent<br /> the<br /> underlying defect: Polaris still skips the intended pre-write location check<br /> when only `write.metadata.path` changes.

PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, there is an arbitrary file write vulnerability via `save_generated_slides`. This issue has been patched via commit 418491a.

D-Link DIR-600L Hardware Revision A1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn35_dlwbr_dir600l" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.

D-Link DIR-600L Hardware Revision B1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn61_dlwbr_dir600L" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control.  The device has reached End-of-Life (EOL) and will not receive patches.

D-Link DIR-605L Hardware Revision B2 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn76_dlwbr_dir605L" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.

D-Link DIR-605L Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn35_dlwbr_dir605l" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.

Notesnook is a note-taking app focused on user privacy &amp; ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = .... Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20.

PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, PPTAgent is vulnerable to arbitrary file write and directory creation via markdown_table_to_image. This issue has been patched via commit 418491a.