JeecgBoot OpenApi Service Second-Order Server-Side Request Forgery Vulnerability

A second-order server-side request forgery (SSRF) vulnerability exists in JeecgBoot versions through 3.9.1. The issue is located in the OpenApi Service, specifically within the OpenApiController.java file, in the add and call methods. The vulnerability arises because the add method allows authenticated users to inject malicious URLs into the originUrl database field without proper validation or authorization. When the call method is later invoked, it retrieves the unvalidated URL and makes an outbound HTTP request, potentially bypassing network segmentation and accessing sensitive internal resources or cloud metadata.

Impact

Exploitation of this vulnerability allows for second-order server-side request forgery, where injected URLs are accessed by the server, potentially leading to unauthorized access to internal services or sensitive metadata.

Reproduction

To reproduce this vulnerability, send a POST request to the '/openapi/add' endpoint with a malicious URL injected into the 'originUrl' field. Then, invoke the '/openapi/call/{path}' endpoint to trigger the SSRF by accessing the injected URL.

Remediation

Users are advised to upgrade to version 3.9.2 or later, where this vulnerability has been addressed.