Ghost Server-Side Request Forgery Vulnerability in oEmbed Bookmark Handling

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Ghost versions 5.99.0 through 5.130.3 and 6.0.0 through 6.0.8. This vulnerability allows attackers to access internal resources by exploiting the oEmbed API, which fetches metadata from external URLs. The API fails to properly validate access to internal resources, enabling unauthorized data access.

Impact

Exploitation of this vulnerability allows for unauthorized access to internal resources, with the potential to exfiltrate sensitive data from internal systems.

Reproduction

To reproduce this vulnerability, send a request to the Ghost oEmbed endpoint with the type parameter set to 'bookmark'. This will trigger the fetchBookmarkData function, which processes the icon and thumbnail metadata. The vulnerability can be exploited by manipulating the metadata.icon or metadata.thumbnail fields to point to an internal resource, such as a localhost-only service. Once the internal resource is accessed, the exfiltrated data can be logged or otherwise captured.

Remediation

Users can update to Ghost versions 5.130.4 or 6.0.9, both of which contain the patch for this vulnerability.