CVE-2023-27163: request-baskets SSRF details - CodiMD

# request-baskets SSRF details Follow the official documentation to start forem with docker installation.  Then, we log in to the administrator background:  The following API’s forward_url parameter is vulnerable to SSRF： 1. /api/baskets/{name} 2. /baskets/{name} Let’s take /api/baskets/{name} API as an example, another API is the same vulnerability. We use the following payload to post /api/baskets/{name} API： ``` { "forward_url": "http://127.0.0.1:80/test", "proxy_response": false, "insecure_tls": false, "expand_path": true, "capacity": 250 } ```  Direct post can only set the url, you need to visit the url - http://192.168.175.213:55555/test to trigger the SSRF vulnerability.  # Influence： **Information Disclosure and Exfiltration** This was previously identified as an issue. Requests for images that are unauthenticated can lead to the leak of all existing images in the server. However, this isn’t limited to just images. Any resource that can be obtained via an HTTP request on the local network of the webserver can be obtained remotely via this request. **Unauthenticated Access to Internal Network HTTP Servers** The SSRF attack can be leveraged to connect to any HTTP Server connected to the same network as the request-baskets server, for instance an Nginx server exposed only internally, an internal RESTful API, such as a NoSQL database, or a GraphQL database. This is not limited just to services hosted on the local machine, but all the machines connected on the local network. **Port and IP Scanning and Enumeration** This vulnerability can be leveraged to port scan for HTTP servers both internal and external services on demand, as well as enumerating all the machines in the local network that have open HTTP ports.