Appsmith Server-Side Request Forgery Vulnerability in WebClientUtils

A server-side request forgery (SSRF) vulnerability has been identified in Appsmith versions through 1.97. The issue arises in the WebClientUtils class, specifically within the computeDisallowedHosts function, which fails to properly validate user-supplied URLs before the server makes outbound HTTP requests. This oversight allows requests to private IP ranges, internal cluster service names, or localhost, potentially leading to unauthorized access of internal services or information disclosure.

Impact

Exploitation of this vulnerability allows for general server-side request forgery, with the potential for accessing internal services, disclosing sensitive information, or escalating privileges, particularly in a Kubernetes environment where access to the K8s API could be gained.

Reproduction

The vulnerability can be reproduced by creating an API request in Appsmith that targets a private IP or internal service name, bypassing the application's URL validation. This can be done by substituting 'localhost' with the Docker gateway IP or a private IP address, and including the appropriate headers to simulate a legitimate request.

Remediation

Users are advised to upgrade to Appsmith version 1.99, where this vulnerability has been addressed.