JeecgBoot Server-Side Request Forgery Vulnerability in File Download Feature

A second-order server-side request forgery (SSRF) vulnerability has been identified in JeecgBoot versions through 3.9.1. The issue arises in the announcement file download feature, specifically within the LoadFile Endpoint. The vulnerability allows an attacker to inject malicious HTTP URLs into the 'files' field of an announcement. This injection occurs via the 'POST /sys/annountCement/add' endpoint, which lacks proper validation of URLs or IP addresses. When the 'GET /sys/annountCement/downLoadFiles' endpoint is later accessed, the server retrieves the injected URLs using 'HttpURLConnection' without any SSRF protections. This flaw could be exploited to scan internal networks, access local services, and extract sensitive data, such as cloud metadata.

Impact

Exploitation of this vulnerability allows for second-order server-side request forgery, where injected URLs are fetched by the server, potentially leading to exposure of internal data or access to local services.

Reproduction

To reproduce this vulnerability, first send a POST request to '/sys/annountCement/add' with an announcement that includes malicious URLs in the 'files' field. After the announcement is saved, send a GET request to '/sys/annountCement/downLoadFiles' with the announcement ID. The server will then process the injected URLs, performing outbound requests that could access internal resources or sensitive data.

Remediation

Users are advised to upgrade to JeecgBoot version 3.9.2 or later, where this vulnerability has been addressed.