FlowIntel Server-Side Request Forgery Vulnerability in External Reference URL Probe

A server-side request forgery (SSRF) vulnerability has been identified in FlowIntel versions prior to 3.3.0. The issue arises in the external reference URL probe functionality within app/case/task.py. This vulnerability allows an attacker who can submit an external reference URL to manipulate the application server into sending an HTTP HEAD request to a destination of their choice. The vulnerability is rooted in inadequate validation of the URL scheme and the resolved destination address, which may permit requests to loopback, link-local, private, reserved, or other restricted network resources. Such interactions could potentially access internal services or cloud metadata endpoints from the server's network context.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal services or cloud metadata endpoints, allowing attackers to interact with these resources from the server's network context.

Reproduction

To reproduce this vulnerability, submit an external reference URL that points to a restricted network resource, such as a loopback or private address. The application server will then send an HTTP HEAD request to the specified destination, demonstrating the SSRF vulnerability.

Remediation

Users can update to FlowIntel version 3.3.0 or later, where this vulnerability has been addressed.