CVE-2023-27162: openapi-generator API SSRF details - CodiMD

# openapi-generator API SSRF details When we tested the official demo website of openapi-generator, we found SSRF vulnerabilities in the following APIs, which proves that openapi-generator also has this SSRF vulnerability. The following API’s openAPIUrl parameter is vulnerable to SSRF: 1. /api/gen/clients/{language} 2. /api/gen/servers/{framework} Let’s take /api/gen/clients/{language} API as an example, another API is the same vulnerability. We modify the original API request parameters, here we use dnsLog to verify the existence of SSRF vulnerabilities.  The dnslog records are as follows：  This confirms the existence of the SSRF vulnerability. # Influence： **Information Disclosure and Exfiltration** This was previously identified as an issue. Requests for images that are unauthenticated can lead to the leak of all existing images in the server. However, this isn’t limited to just images. Any resource that can be obtained via an HTTP request on the local network of the webserver can be obtained remotely via this request. **Unauthenticated Access to Internal Network HTTP Servers** The SSRF attack can be leveraged to connect to any HTTP Server connected to the same network as the openapi-generator server, for instance an Nginx server exposed only internally, an internal RESTful API, such as a NoSQL database, or a GraphQL database. This is not limited just to services hosted on the local machine, but all the machines connected on the local network. **Port and IP Scanning and Enumeration** This vulnerability can be leveraged to port scan for HTTP servers both internal and external services on demand, as well as enumerating all the machines in the local network that have open HTTP ports.