Kan Project Unauthenticated Server-Side Request Forgery Vulnerability in Attachment Download Endpoint
Vulnerability
A server-side request forgery (SSRF) vulnerability has been identified in the Kan project management tool, affecting versions prior to 0.5.5. The issue arises in the '/api/download/attatchment' endpoint, which lacks authentication and proper URL validation. This endpoint allows unauthenticated attackers to send HTTP requests from the server to internal services, cloud metadata endpoints, or private network resources, potentially exposing sensitive information or causing unintended actions. The vulnerability has been patched in version 0.5.5.
Impact
Exploitation of this vulnerability allows for unauthenticated SSRF, where an attacker can make requests from the server to internal or private network resources, cloud metadata endpoints, or internal services, depending on the server's environment.
Remediation
Users are advised to update to Kan version 0.5.5 or later. For those unable to update, access to the '/api/download/attatchment' endpoint should be blocked or restricted at the reverse proxy level, using tools such as nginx or Cloudflare.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.