Halo Server-Side Request Forgery Vulnerability in Plugin Upgrade Endpoint

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Halo version 2.22.14. The issue arises in the '/plugins/{name}/upgrade-from-uri' endpoint, where authenticated attackers can send crafted GET requests to scan internal resources. The vulnerability allows exploitation of unvalidated URI inputs, enabling requests to internal network addresses that could lead to unauthorized resource access.

Impact

Exploitation of this vulnerability allows for SSRF attacks, where internal network resources can be accessed through the application. This could result in unauthorized disclosure of information from internal services that are not exposed to the outside network.

Reproduction

To reproduce this vulnerability, send a request to the '/apis/uc.api.storage.halo.run/v1alpha1/plugins/{name}/upgrade-from-uri' endpoint with a crafted URI that points to an internal resource. The application will fetch the URI without validation and can be used to access internal services via a GET request.

Remediation

It is recommended to implement a blacklist mechanism to filter out internal IP addresses from being accessed through the vulnerable endpoint.