OpenCTI Data Ingestion Feature Semi-Blind SSRF Vulnerability

A semi-blind server-side request forgery (SSRF) vulnerability has been identified in the OpenCTI platform's data ingestion feature, prior to version 6.8.16. The issue arises because the platform accepts user-supplied URLs without proper validation and utilizes the Axios HTTP client with its default settings, which allow absolute URLs. This vulnerability enables attackers to send requests to arbitrary endpoints, including internal services that are not publicly accessible. Although the SSRF is semi-blind—meaning that the attacker may not see the full response—the ability to interact with internal systems can lead to enumeration, data exfiltration, and potentially remote code execution if internal APIs expose sensitive functionality.

Impact

Exploitation of this vulnerability allows an attacker to make the application send HTTP requests to arbitrary internal or external endpoints. This could involve accessing internal services like Elasticsearch, Redis, or RabbitMQ to extract sensitive data or manipulate internal components. In cloud environments, there is a risk of targeting metadata services such as AWS, Azure, or GCP to obtain credentials and configuration details, potentially leading to a full compromise of the infrastructure. The semi-blind nature of the SSRF means that while the attacker may not see the complete response, the interaction with internal services can still have significant consequences.

Remediation

Users can upgrade to OpenCTI version 6.8.16 or later to address this vulnerability.