Share this article on:
Security researchers at Tenable Research have discovered multiple flaws in LabKey Server Community Edition 18.2-60106.64 which could be exploited to steal user credentials, access medical data, and run arbitrary code through the Labkey browser.
LabKey Server is an open source collaboration tool that allows scientists to integrate, analyze, and share biomedical research data. While the platform serves as a secure data repository, vulnerabilities have been identified that allow security controls to be bypassed.
CVE-2019-3911 – Reflected XSS
Multiple flaws have been identified in all versions of LabKey Server Community Edition prior to v 18.3.0 related to the validation and sanitization of query functions, in particular, the query.sort parameter. The parameter is reflected in output to the user and is interpreted by the browser, which opens to door for a cross site scripting attack. If the flaws are exploited, an attacker could run arbitrary code within the context of the browser. Attacks are possible with and without authentication.
CVE-2019-3912 – Open Redirects
Open redirects via returnURL are present throughout LabKey Server which could be manipulated to redirect users to a location under the control of the attacker. __r paths are the easiest to manipulate.
CVE-2019-3913 – Network Drive Mapping Logic Flaw
Improper sanitization of supplied values in the mount function allows a user to manipulate arguments in the ‘net use’ command when mapping network drives. Tenable has illustrated one of the vulnerabilities in a proof of concept exploit, which allows a user to supply any valid drive letter which will result in the application ending the connection, even if the remainder of the mapping command is not correct. Admin access to the web interface would be required for this vulnerability to be exploited. This flaw could be exploited to map a malicious drive to the server.
Tenable Research disclosed the vulnerabilities to LabKey and patches were developed to correct the three flaws. Updates correcting each of the vulnerabilities were released on January 16, 2019.
To prevent the flaws from being exploited, all users should update to LabKey Server Community Edition 18.3.0-61806.763 or later as soon as possible.