OpenRemote XXE Vulnerability in Velbus Asset Import Allowing Server-Side File Disclosure and SSRF

A vulnerability allowing XML External Entity (XXE) processing has been identified in OpenRemote versions through 1.21.0, specifically within the Velbus asset import feature. This issue arises because the import path parses user-controlled XML without adequate protections against XXE attacks. An authenticated user with access to the import endpoint can exploit this vulnerability, leading to unauthorized disclosure of server files and Server-Side Request Forgery (SSRF) attacks. The exploitation requires the targeted file to be shorter than 1023 characters.

Impact

Exploitation of this vulnerability could result in limited disclosure of local files from the Manager runtime, as long as the files are under 1023 characters, and allow for SSRF attacks.

Reproduction

To reproduce this vulnerability, log into a realm with a user that has permission to use the Velbus asset import feature. Create or select a Velbus TCP Agent within that realm. Then, send a POST request to the import endpoint for the selected agent, including a Velbus project XML payload that exploits the XXE vulnerability by referencing a file through an external entity. Compare the behavior of this import with a standard baseline import file to observe the differences caused by the exploitation.

Remediation

Users can upgrade to OpenRemote version 1.22.0 or later, where this vulnerability has been addressed.