DataLinkDC Dinky Server-Side Request Forgery Vulnerability in Flink Proxy Controller

A server-side request forgery (SSRF) vulnerability has been identified in DataLinkDC Dinky versions through 1.2.5. The issue resides in the Flink Proxy Controller, specifically within the 'proxyUba' function of the 'FlinkProxyController.java' file. This vulnerability allows authenticated users to send arbitrary URLs that the server will request without proper validation. As a result, attackers can access internal network resources, cloud metadata services, and localhost services, potentially leading to credential theft and unauthorized access to sensitive data.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where the Dinky server is tricked into making HTTP requests to internal or external resources on behalf of the attacker. This can be used to access cloud metadata services, internal databases, administrative interfaces, and other sensitive resources, facilitating credential theft and lateral movement within the infrastructure.

Reproduction

To reproduce this vulnerability, an authenticated user can send a crafted HTTP request to the Dinky server's Flink Proxy API. The request must include a URL pointing to a target resource, such as a cloud metadata service or an internal database. The Dinky server will process the request, execute it, and return the response to the attacker, thereby exposing sensitive information or access to internal services.

Remediation

It is recommended to implement a URL whitelist to restrict proxy targets to trusted Flink cluster endpoints, add network-level controls to block access to cloud metadata services and internal IP ranges, strengthen authorization by restricting proxy access to specific user roles, and implement monitoring and alerting for proxy requests.