Weblate Server-Side Request Forgery Vulnerability in Machine Translation Configuration

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Weblate, a web-based localization tool, affecting versions prior to 5.17. Users with the 'project.edit' permission can configure machine translation service URLs that point to arbitrary internal network addresses. During the validation of these configurations, Weblate sends an HTTP request to the specified URL and reflects up to 200 characters of the response back to the user in an error message. This vulnerability allows for partial response reading from the attacked URL.

Impact

Exploitation of this vulnerability allows for Server-Side Request Forgery, where an attacker can manipulate the server to make requests to internal resources, potentially leading to unauthorized access or information disclosure.

Reproduction

To reproduce this vulnerability, a user with 'project.edit' permission can add a machine translation service URL that points to a private network address. After saving the configuration, the system will validate the URL by making a request to it. If the URL is reachable, the response will be processed and can be reflected back to the user, demonstrating the SSRF vulnerability.

Remediation

Weblate has released a patch for this vulnerability in version 5.17. Users can upgrade to this version to address the issue. If an immediate upgrade is not possible, the WEBLATE_MACHINERY setting can be used to limit available machinery services and mitigate the vulnerability.