Vikunja OpenID Connect Avatar Download SSRF Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Vikunja, an open-source task management platform, in versions prior to 2.2.1. The issue arises in the 'DownloadImage' function within 'pkg/utils/avatar.go', which uses a default 'http.Client' without any SSRF protection when downloading user avatar images from the OpenID Connect 'picture' claim URL. This vulnerability allows an attacker controlling their OIDC profile picture URL to manipulate the Vikunja server into making HTTP GET requests to arbitrary internal or cloud metadata endpoints, bypassing the SSRF protections that are properly implemented in the webhook system.

Impact

Exploitation of this vulnerability allows access to cloud instance metadata services from the Vikunja server's network position, potentially leaking sensitive information such as IAM credentials and configuration data. Additionally, the vulnerability could be used for internal network reconnaissance, interaction with internal services that respond to GET requests, and could cause memory exhaustion on the Vikunja server by downloading large resources without a size limit.

Reproduction

To reproduce this vulnerability, log into a Vikunja instance with OpenID Connect configured. After authentication, the Vikunja server will download the avatar from the URL specified in the 'picture' claim. If this URL points to an internal metadata service, the request will be made from the server's network context, bypassing any access controls. This can be verified by setting up a listener on the internal service to observe the incoming request.

Remediation

Users should update Vikunja to version 2.2.1 or later, where this vulnerability has been patched. The update can be downloaded from the Vikunja downloads page or by pulling the latest Docker image.