hcengineering Huly Platform Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in hcengineering Huly Platform version 0.7.382. The issue arises in the Import Endpoint component, specifically within the file server/front/src/index.ts. This vulnerability allows authenticated users to send arbitrary URLs to the server, which then makes HTTP requests to those URLs without proper validation. As a result, attackers could access internal network services, cloud metadata endpoints, and sensitive data from internal services. The vulnerability is exacerbated by the fact that the server logs user-supplied cookie values, potentially leaking session tokens.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal services, cloud metadata credentials, and sensitive data, with the potential for full infrastructure compromise in cloud environments.

Reproduction

To reproduce this vulnerability, authenticate with a valid workspace token and send a request to the '/import' endpoint using either the GET or POST method. Include a URL that points to an internal service or a cloud metadata endpoint. The server will fetch the URL, and the response can be accessed from the workspace's blob storage.

Remediation

No specific mitigation is known, but it is recommended to implement a URL allowlist, block private or reserved IP ranges, and avoid logging sensitive cookie data.