OpenObserve URL Validation Vulnerability Allows SSRF via IPv6 Bypass

A server-side request forgery (SSRF) vulnerability has been identified in OpenObserve versions through 0.14.5. The issue arises in the 'validate_enrichment_url' function, which fails to properly validate IPv6 addresses due to the way Rust's 'url' crate formats them, enclosing them in brackets. This oversight allows authenticated attackers to access internal services that are normally restricted from external access. In cloud deployments, this could lead to unauthorized retrieval of IAM credentials from AWS, GCP, or Azure. On self-hosted deployments, it could enable probing of internal network services.

Impact

Exploitation of this vulnerability allows authenticated attackers to bypass URL validation and access internal services, potentially leading to unauthorized data access or manipulation. In cloud environments, it could result in the exposure of sensitive metadata and credentials.

Reproduction

To reproduce this vulnerability, log into OpenObserve as an authenticated user and create or use an existing enrichment table. Then, send a POST request to the enrichment table URL endpoint, including an IPv6 address bypass payload, such as 'http://[::ffff:169.254169.254]/latest/meta-data/' to exploit the SSRF vulnerability and retrieve IAM credentials.

Remediation

Users are advised to update to the latest version of OpenObserve, where this vulnerability has been addressed.