JeecgBoot Server-Side Request Forgery Vulnerability in AiragModel Endpoint

A server-side request forgery (SSRF) vulnerability exists in JeecgBoot versions through 3.9.2. The issue is located in the AiragModel test endpoint, where the application improperly validates the baseUrl parameter. This flaw allows authenticated attackers to send requests to internal resources or cloud metadata endpoints, potentially accessing sensitive information or probing internal services. The vulnerability is exacerbated by the absence of permission checks on the endpoint, allowing any authenticated user to exploit it. Additionally, the malicious baseUrl is persisted in the database, creating a stored SSRF condition.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can make the server send requests on their behalf. This could be used to access internal services, perform port scanning, or retrieve sensitive information from cloud metadata endpoints.

Reproduction

To reproduce this vulnerability, authenticate as any user and send a POST request to the '/airag/airagModel/test' endpoint. Include a JSON payload that specifies an 'AiragModel' object with a baseUrl pointing to an internal resource or cloud metadata endpoint. The server will then execute a request to the specified URL via the langchain4j integration.

Remediation

A fix is planned for the upcoming release.