Appwrite CLI - Too permissive access on preferences file

SkypLabs published on
2 min, 392 words

Categories: Engineering

Tags: Security Vulnerability

While involved in the design and implementation of a back-end infrastructure for one of our clients, we had the occasion to work with Appwrite, an open-source solution that aims to provide an all-in-one back-end platform for web and mobile applications. Targeting mostly front-end developers, Appwrite positions itself as a Firebase alternative.

The scope of the features provided by Appwrite is rather large: user management, authentication, authorisation, database, object storage, etc. To administrate the platform, a web console is provided as well as a CLI tool.

The Security Issue

Upon login, the Appwrite CLI creates a configuration file in ~/.appwrite/prefs.json to store the user credentials. While this is a common practice, the Appwrite CLI does not restrict the access to the file to its owner only by setting the appropriate UNIX permissions. Consequently, any user on the local system can obtain the user credentials, and by extension, access to the Appwrite back-end. All versions before 3.0.0 are affected.

Remediation

After this discovery, we reported the security issue to the Appwrite Security Team. They acknowledged our finding and even offered us some goodies to show their gratitude, which we kindly declined as it goes against our values. However, after this e-mail exchange, we have not received any news from them to this day. Thankfully, despite the lack of communication, the security issue was fixed months later. Still, the patch was blended into other changes without any mention of it, neither in the commit message nor as a security advisory.

When we noticed that the issue had been fixed silently, we filed a CVE request, which was granted CVE-2023-50974 with medium severity.

Conclusion

Despite not being a critical vulnerability, we regret the lack of communication and responsiveness from the Appwrite project. We understand that they may have had other priorities, but security issues should not be taken lightly, regardless of their severity.

Regarding the technical aspects, when storing sensitive content in a file, we encourage you to consider local attackers in your threat model by enforcing restricted permissions.