Arcane Unauthenticated Server-Side Request Forgery Vulnerability in Template Fetch Endpoint
Vulnerability
A server-side request forgery (SSRF) vulnerability has been identified in Arcane versions prior to 1.17.3. The vulnerability exists in the '/api/templates/fetch' endpoint, which accepts a user-supplied URL parameter and performs an HTTP GET request to that URL. This is done without authentication and without validating the URL scheme or host. The response from the server is returned directly to the caller. This vulnerability allows for unauthenticated access to internal services and networks, potentially leading to unauthorized service discovery or access to sensitive information.
Impact
Exploitation of this vulnerability allows for unauthenticated port scanning of internal networks and access to internal HTTP services that are not exposed to the public internet, such as service discovery endpoints, internal dashboards, and the Kubernetes API.
Reproduction
To reproduce this vulnerability, send an unauthenticated GET request to the '/api/templates/fetch' endpoint, including the target URL as a query parameter. The response will reflect the outcome of the request, indicating whether the target URL was successfully accessed or if an error occurred.
Remediation
Users can upgrade to Arcane version 1.17.3 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.