JeecgBoot Server-Side Request Forgery Vulnerability in Cloud Instance Metadata Endpoint

A server-side request forgery (SSRF) vulnerability has been identified in JeecgBoot versions prior to 3.9.2. The issue arises in the '/airag/app/debug' endpoint, where the server processes URLs through the 'FileDownloadUtils.download2DiskFromNet' function. This vulnerability allows authenticated attackers to send arbitrary internal or external URLs, which the server then fetches without proper validation. As a result, the application can be manipulated to make outbound HTTP requests to internal services, local ports, or cloud instance metadata endpoints, such as 169.254.169.254.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where the server is tricked into making requests on behalf of the attacker. This could potentially be used to access internal services or metadata that could aid in further attacks.

Reproduction

To reproduce this vulnerability, authenticate as a registered user to obtain a valid JWT or X-Access-Token. Then, send a POST request to the '/airag/app/debug' endpoint, including a 'files' array in the JSON request body. This array should contain a URL targeting an internal resource, ensuring it ends with a whitelisted extension, such as '.pdf'. The server will process the request, download the file from the specified URL, and trigger the SSRF vulnerability by accessing the internal resource.

Remediation

Upgrade to JeecgBoot version 3.9.2, which addresses this vulnerability.