WeKnora Server-Side Request Forgery Vulnerability in Document Import Feature

A Server-Side Request Forgery (SSRF) vulnerability has been identified in WeKnora versions prior to 0.2.12. The issue arises in the 'Import document via URL' feature, where the application fails to properly validate HTTP redirect targets. Although the backend implements strict URL validation by blocking private IPs, loopback addresses, reserved hostnames, and cloud metadata endpoints, it does not extend this validation to redirect locations. This oversight allows attackers to exploit the feature by chaining redirects, potentially accessing internal services. Additionally, Docker-specific internal addresses like host.docker.internal are not blocked, further expanding the attack surface.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal services and databases from the application container, including those running in Docker. This could allow attackers to access sensitive data, such as internal database information from PostgreSQL, MongoDB, or MySQL, as well as information from Redis caches or configuration servers. The vulnerability also exposes Docker container metadata and environment variables, and could facilitate lateral movement to other containers within the same Docker network. In some cases, it could lead to remote code execution if the accessed internal services have exploitable vulnerabilities.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/v1/knowledge-bases/{id}/knowledge/url' endpoint with a URL that redirects to an internal service, such as one accessible via 'host.docker.internal'. The initial URL will pass validation, but the subsequent redirect to an internal service will not be checked, allowing access to internal resources.

Remediation

Users should update to WeKnora version 0.2.12 or later, where this vulnerability has been patched.