FireFighter Unauthenticated Server-Side Request Forgery Vulnerability in Jira Bot Endpoint Allows IAM Credential Theft

A server-side request forgery (SSRF) vulnerability has been identified in the FireFighter incident management application, prior to version 0.0.54. The issue arises in the POST /api/v2/firefighter/raid/jira_bot endpoint, which is accessible without authentication. This endpoint fetches attachment payloads via httpx.get() without proper URL validation, and then uploads these attachments to Jira tickets. An unauthenticated user can exploit this to have the application retrieve arbitrary URLs, including the EC2 metadata service, and exfiltrate the data as a Jira attachment. On EC2 or EKS deployments that do not enforce IMDSv2, this could lead to unauthorized access to temporary AWS credentials associated with the pod's IAM role.

Impact

Exploitation of this vulnerability allows for unauthorized access to AWS credentials on EC2/EKS deployments that do not enforce IMDSv2, by exfiltrating these credentials through the vulnerable Jira bot endpoint as an attachment on a Jira ticket.

Remediation

Users are advised to upgrade to FireFighter version 0.0.54 or later, where this vulnerability has been fixed by implementing authentication requirements, validating attachment URLs, and addressing an unrelated regression error. Until an upgrade is possible, access to the vulnerable endpoint can be restricted to trusted networks, the Jira API token can be rotated or revoked as an emergency measure, or IMDSv2 can be enforced on EC2/EKS nodes to mitigate the risk of credential theft.