New API Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in New API versions prior to 0.9.0.5. This vulnerability allows authenticated users to submit URLs that the server will process. The application does not properly validate these user-supplied URLs before making requests, enabling exploitation with any type of link. As user registration is typically enabled by default, any registered user can exploit this vulnerability. By crafting a malicious URL, an attacker can manipulate the server into sending requests to arbitrary internal or external services. This could lead to scanning internal networks, leaking information from sensitive internal services, or accessing cloud provider metadata services to exfiltrate temporary security credentials.

Impact

Exploitation of this vulnerability allows for authenticated Server-Side Request Forgery, with potential consequences including scanning of internal networks, information leakage from internal services, and exposure of cloud credentials by accessing metadata services.

Reproduction

To reproduce this vulnerability, an authenticated user can submit a URL through the application's feature that processes user-supplied links. The server will then make a request to the provided URL without proper validation, allowing the user to access internal or external services arbitrarily.

Remediation

Users are advised to upgrade to New API version 0.9.0.5 or later, where this vulnerability has been patched. The patch introduces a user-configurable SSRF protection module, enabled by default, which allows administrators to control outbound requests from the server. For those unable to upgrade immediately, it is recommended to enable the New API image processing worker and/or configure egress firewall rules to restrict outbound traffic.