Eclipse BaSyx Java Server SDK Unauthenticated Blind Server-Side Request Forgery Vulnerability

A blind server-side request forgery (SSRF) vulnerability has been identified in the Eclipse BaSyx Java Server SDK, specifically in versions prior to 2.0.0-milestone-10. The vulnerability arises from the Operation Delegation feature, which does not properly validate the destination URI of delegated requests. This flaw allows an unauthenticated remote attacker to manipulate the BaSyx server into sending blind HTTP POST requests to arbitrary internal or external targets. As a result, attackers can bypass network segmentation and access isolated internal IT/OT infrastructure or cloud metadata services.

Impact

Exploitation of this vulnerability could lead to unauthorized access and interaction with internal systems or services, potentially allowing for further attacks or data exposure.

Reproduction

The vulnerability can be reproduced by using a JUnit integration test that simulates an internal asset and verifies that the BaSyx server blindly forwards a request to that asset, bypassing network protections.

Remediation

Users are advised to update to Eclipse BaSyx version 2.0.0-milestone-10 or later, where this vulnerability has been fixed.