Chartbrew Server-Side Request Forgery Vulnerability in API Data Connection

A server-side request forgery (SSRF) vulnerability has been identified in Chartbrew, an open-source web application for creating charts from data sourced via APIs and databases. This vulnerability exists in versions through 4.0.0. The issue allows authenticated users to establish API connections using arbitrary URLs. The application fetches these URLs with the 'request-promise' library, lacking proper validation of IP addresses. As a result, this flaw can be exploited to access internal networks or cloud metadata services, potentially leading to unauthorized data exposure or manipulation.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an authenticated user can make the server send requests to internal services or cloud metadata endpoints. This could result in accessing sensitive information, such as IAM credentials from AWS metadata, or interacting with internal databases and services.

Reproduction

To reproduce this vulnerability, an authenticated user can create an API connection in Chartbrew with a URL pointing to a cloud metadata service or an internal network address. After saving the connection, the user can test it through the Chartbrew API, which will trigger the server to fetch the URL without any IP validation, thereby accessing the metadata or internal service.

Remediation

Users can update to Chartbrew version 4.8.5 or later, where this vulnerability has been fixed.