JeecgBoot Server-Side Request Forgery Vulnerability in CommonController Upload Endpoint

A server-side request forgery (SSRF) vulnerability has been identified in JeecgBoot versions through 3.9.1. The issue resides in the CommonController.uploadImgByHttp endpoint, where user-controlled URLs are processed without proper validation, allowing authenticated attackers to manipulate the server into fetching arbitrary external or internal resources. This vulnerability could be exploited for internal network scanning, local service enumeration, or unauthorized access to sensitive cloud metadata credentials.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where the server is tricked into making HTTP requests on behalf of the attacker. This could lead to unauthorized access of internal resources, services, or sensitive metadata, depending on the nature of the fetched data.

Reproduction

To reproduce this vulnerability, an authenticated session with file upload capabilities is required. A POST request can be sent to the /sys/common/uploadImgByHttp endpoint, including a JSON payload with a malicious internal URL in the fileUrl parameter. The server will fetch the specified URL without any security checks, potentially exposing internal data or services.

Remediation

Users are advised to upgrade to the latest version of JeecgBoot, as the vendor has acknowledged the issue and will provide a fix in the upcoming release.