Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   AbsInt a³ Plugin
*   Convert To Pipeline Plugin
*   Cppcheck Plugin
*   Crap4J Plugin
*   JaCoCo Plugin
*   Mashup Portlets Plugin
*   OctoPerf Load Testing Plugin Plugin
*   OctoPerf Load Testing Plugin Plugin
*   OctoPerf Load Testing Plugin Plugin
*   Performance Publisher Plugin
*   Phabricator Differential Plugin
*   Pipeline Aggregator View Plugin
*   remote-jobs-view-plugin Plugin
*   Role-based Authorization Strategy Plugin
*   Visual Studio Code Metrics Plugin

**Descriptions****Incorrect permission checks in Role-based Authorization Strategy Plugin**

**SECURITY-3053 / CVE-2023-28668**  
**Severity (CVSS):** Medium  
**Affected plugin: role-strategy**  
**Description:**

Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g., Overall/Manage or Item/Extended Read. Disabled permissions cannot be granted directly, only through greater permissions that imply them (e.g., Overall/Administer or Item/Configure).

Role-based Authorization Strategy Plugin 587.v2872c41fa\_e51 and earlier grants permissions even after they’ve been disabled.

This allows attackers to have greater access than they’re entitled to after the following operations took place:

1.  A permission is granted to attackers directly or through groups.
    
2.  The permission is disabled, e.g., through the script console.
    

Role-based Authorization Strategy Plugin 587.588.v850a\_20a\_30162 does not grant disabled permissions.

**Stored XSS vulnerability in JaCoCo Plugin**

**SECURITY-3061 / CVE-2023-28669**  
**Severity (CVSS):** High  
**Affected plugin: jacoco**  
**Description:**

JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action.

JaCoCo Plugin 3.3.2.1 escapes class and method names shown on the UI.

**Stored XSS vulnerability in Pipeline Aggregator View Plugin**

**SECURITY-2885 / CVE-2023-28670**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-aggregator-view**  
**Description:**

Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current view’s URL in inline JavaScript.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

Pipeline Aggregator View Plugin 1.14 obtains the current URL in a way not susceptible to XSS.

**CSRF vulnerability in OctoPerf Load Testing Plugin Plugin**

**SECURITY-3067 (1) / CVE-2023-28671**  
**Severity (CVSS):** Medium  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier does not require POST requests for a connection test HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

OctoPerf Load Testing Plugin Plugin 4.5.1 requires POST requests for the affected connection test HTTP endpoint.

**Missing permission check in OctoPerf Load Testing Plugin Plugin**

**SECURITY-3067 (2) / CVE-2023-28672**  
**Severity (CVSS):** High  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

OctoPerf Load Testing Plugin Plugin 4.5.2 properly performs a permission check when accessing the affected connection test HTTP endpoint.

**Missing permission check in OctoPerf Load Testing Plugin Plugin allows enumerating credentials IDs**

**SECURITY-3067 (3) / CVE-2023-28673**  
**Severity (CVSS):** Medium  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in OctoPerf Load Testing Plugin Plugin 4.5.3 requires the appropriate permissions.

**CSRF vulnerability and missing permission checks in OctoPerf Load Testing Plugin Plugin**

**SECURITY-3067 (4) / CVE-2023-28674 (CSRF), CVE-2023-28675 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OctoPerf Load Testing Plugin Plugin 4.5.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

**CSRF vulnerability in Convert To Pipeline Plugin results in RCE**

**SECURITY-2963 / CVE-2023-28676**  
**Severity (CVSS):** High  
**Affected plugin: convert-to-pipeline**  
**Description:**

Convert To Pipeline Plugin 1.0 and earlier does not require POST requests for the HTTP endpoint converting a Freestyle project to Pipeline, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to create a Pipeline based on a Freestyle project. Combined with SECURITY-2966, this can result in the execution of unsandboxed Pipeline scripts.

**Command injection vulnerability in Convert To Pipeline Plugin results in RCE**

**SECURITY-2966 / CVE-2023-28677**  
**Severity (CVSS):** High  
**Affected plugin: convert-to-pipeline**  
**Description:**

Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations.

This allows attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a conversion by Convert To Pipeline Plugin. If an administrator converts the Freestyle project to a Pipeline, the script will be pre-approved.

**Stored XSS vulnerability in Cppcheck Plugin**

**SECURITY-2809 / CVE-2023-28678**  
**Severity (CVSS):** High  
**Affected plugin: cppcheck**  
**Description:**

Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents.

**Stored XSS vulnerability in Mashup Portlets Plugin**

**SECURITY-2813 / CVE-2023-28679**  
**Severity (CVSS):** High  
**Affected plugin: mashup-portlets-plugin**  
**Description:**

Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

**XXE vulnerability in Crap4J Plugin**

**SECURITY-2925 / CVE-2023-28680**  
**Severity (CVSS):** High  
**Affected plugin: crap4j**  
**Description:**

Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control Crap Report file contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in Visual Studio Code Metrics Plugin**

**SECURITY-2926 / CVE-2023-28681**  
**Severity (CVSS):** High  
**Affected plugin: vs-code-metrics**  
**Description:**

Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control VS Code Metrics File contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in Performance Publisher Plugin**

**SECURITY-2928 / CVE-2023-28682**  
**Severity (CVSS):** High  
**Affected plugin: perfpublisher**  
**Description:**

Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control PerfPublisher report files to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in Phabricator Differential Plugin**

**SECURITY-2942 / CVE-2023-28683**  
**Severity (CVSS):** High  
**Affected plugin: phabricator-plugin**  
**Description:**

Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control coverage report file contents for the 'Post to Phabricator' post-build action to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in remote-jobs-view-plugin Plugin**

**SECURITY-2956 / CVE-2023-28684**  
**Severity (CVSS):** High  
**Affected plugin: remote-jobs-view-plugin**  
**Description:**

remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows authenticated attackers with Overall/Read permission to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in AbsInt a³ Plugin**

**SECURITY-2930 / CVE-2023-28685**  
**Severity (CVSS):** High  
**Affected plugin: absint-a3**  
**Description:**

AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control 'Project File (APX)' contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**Severity**

*   SECURITY-2809: High
*   SECURITY-2813: High
*   SECURITY-2885: High
*   SECURITY-2925: High
*   SECURITY-2926: High
*   SECURITY-2928: High
*   SECURITY-2930: High
*   SECURITY-2942: High
*   SECURITY-2956: High
*   SECURITY-2963: High
*   SECURITY-2966: High
*   SECURITY-3053: Medium
*   SECURITY-3061: High
*   SECURITY-3067 (1): Medium
*   SECURITY-3067 (2): High
*   SECURITY-3067 (3): Medium
*   SECURITY-3067 (4): Medium

**Affected Versions**

*   **AbsInt a³ Plugin** up to and including 1.1.0
*   **Convert To Pipeline Plugin** up to and including 1.0
*   **Cppcheck Plugin** up to and including 1.26
*   **Crap4J Plugin** up to and including 0.9
*   **JaCoCo Plugin** up to and including 3.3.2
*   **Mashup Portlets Plugin** up to and including 1.1.2
*   **OctoPerf Load Testing Plugin Plugin** up to and including 4.5.0
*   **OctoPerf Load Testing Plugin Plugin** up to and including 4.5.1
*   **OctoPerf Load Testing Plugin Plugin** up to and including 4.5.2
*   **Performance Publisher Plugin** up to and including 8.09
*   **Phabricator Differential Plugin** up to and including 2.1.5
*   **Pipeline Aggregator View Plugin** up to and including 1.13
*   **remote-jobs-view-plugin Plugin** up to and including 0.0.3
*   **Role-based Authorization Strategy Plugin** up to and including 587.v2872c41fa\_e51
*   **Visual Studio Code Metrics Plugin** up to and including 1.7

**Fix**

*   **JaCoCo Plugin** should be updated to version 3.3.2.1
*   **OctoPerf Load Testing Plugin Plugin** should be updated to version 4.5.1
*   **OctoPerf Load Testing Plugin Plugin** should be updated to version 4.5.2
*   **OctoPerf Load Testing Plugin Plugin** should be updated to version 4.5.3
*   **Pipeline Aggregator View Plugin** should be updated to version 1.14
*   **Role-based Authorization Strategy Plugin** should be updated to version 587.588.v850a\_20a\_30162

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   AbsInt a³ Plugin
*   Convert To Pipeline Plugin
*   Cppcheck Plugin
*   Crap4J Plugin
*   Mashup Portlets Plugin
*   Performance Publisher Plugin
*   Phabricator Differential Plugin
*   remote-jobs-view-plugin Plugin
*   Visual Studio Code Metrics Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **CC Bomber, Kitri BoB** for SECURITY-2925, SECURITY-2926, SECURITY-2928, SECURITY-2930, SECURITY-2942, SECURITY-2963
*   **Daniel Beck, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2809
*   **Daniel Beck, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3053
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2885, SECURITY-3061
*   **LaNyer640 & Crilwa** for SECURITY-2956
*   **Valdes Che Zogou, CloudBees, Inc.** for SECURITY-2813
*   **Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-2966, SECURITY-3067 (1), SECURITY-3067 (2), SECURITY-3067 (3), SECURITY-3067 (4)

CVE-2023-28680: Jenkins Security Advisory 2023-03-21

Jenkins JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action.

CVE-2023-28669: Jenkins Security Advisory 2023-03-21

Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28684: Jenkins Security Advisory 2023-03-21

Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28682: Jenkins Security Advisory 2023-03-21

IBM Aspera Cargo 4.2.5 and IBM Aspera Connect 4.2.5 are vulnerable to a buffer overflow, caused by improper bounds checking. An attacker could overflow a buffer and execute arbitrary code on the system. IBM X-Force ID: 248616.

  

**Summary**

This Security Bulletin addresses security vulnerabilities that have been remediated in IBM Aspera Cargo 4.2.5 and IBM Aspera Connect 4.2.5.

**Vulnerability Details**

**CVEID:**   CVE-2023-27286  
**DESCRIPTION:**   IBM Aspera Cargo and IBM Aspera Connect are vulnerable to a buffer overflow, caused by improper bounds checking. An attacker could overflow a buffer and execute arbitrary code on the system.  
CVSS Base score: 8.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248627 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-27284  
**DESCRIPTION:**   IBM Aspera Cargo and IBM Aspera Connect are vulnerable to a buffer overflow, caused by improper bounds checking. An attacker could overflow a buffer and execute arbitrary code on the system.  
CVSS Base score: 8.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248616 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Aspera Cargo

v4.2.4 and prior versions

IBM Aspera Connect

v4.2.4 and prior versions

**Remediation/Fixes**

It is recommended to apply the fix **as soon as possible**, see link below.

**Product(s)**

**Fixing VRM**

**Platform(s)**

**Link to Fix**

IBM Aspera Cargo

4.2.5

Windows

click here

IBM Aspera Cargo

4.2.5

Linux

click here

IBM Aspera Cargo

4.2.5

Mac OS

click here

IBM Aspera Connect

4.2.5

Windows

click here

IBM Aspera Connect

4.2.5

Linux

click here

IBM Aspera Connect

4.2.5

Mac OS

click here

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

27 Mar 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSXMXJ","label":"IBM Aspera Faspex On Demand"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"5.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSXNJ7","label":"IBM Aspera Shares On Demand"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"1.10","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSXMX3","label":"IBM Aspera Connect"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF017","label":"Mac OS"}\],"Version":"4.2.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSH2ME","label":"IBM Aspera Cargo"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF017","label":"Mac OS"}\],"Version":"4.2.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSGSS4","label":"IBM Aspera Shares"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"1.10","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS5W4X","label":"IBM Aspera On Cloud"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"1.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS8NDZ","label":"IBM Aspera"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"1.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSHI916","label":"IBM Aspera Enterprise On Demand"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"1.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSQ65JJ","label":"IBM Aspera Enterprise"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"1.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSRFYR","label":"IBM Aspera on Demand"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"1.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSGPEF","label":"IBM Aspera Faspex"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"5.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2023-27286: Security Bulletin: IBM Aspera Cargo 4.2.5 and IBM Aspera Connect 4.2.5 have addressed multiple buffer overflow vulnerabilities (CVE-2023-27286, CVE-2023-27284)

request-baskets up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/baskets/{name}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request.

**request-baskets vulnerable to Server-Side Request Forgery**

Moderate severity GitHub Reviewed Published Mar 31, 2023 to the GitHub Advisory Database • Updated Mar 31, 2023

GHSA-58g2-vgpg-335q: request-baskets vulnerable to Server-Side Request Forgery

openapi-generator up to v6.4.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/gen/clients/{language}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request.

**OpenAPI Generator vulnerable to Server-Side Request Forgery**

Moderate severity GitHub Reviewed Published Mar 31, 2023 to the GitHub Advisory Database • Updated Mar 31, 2023

GHSA-wg4w-5m5r-w3p8: OpenAPI Generator vulnerable to Server-Side Request Forgery

\# request-baskets SSRF details Follow the official documentation to start forem with docker installation. !\[\](https://notes.sjtu.edu.cn/uploads/upload\_f37294d56f74b588fac26542b22f7624.png) Then, we log in to the administrator background: !\[\](https://notes.sjtu.edu.cn/uploads/upload\_5fa5fdd0cd07c6d78a8e34f54c839f3d.png) The following API's forward\_url parameter is vulnerable to SSRF： 1. /api/baskets/{name} 2. /baskets/{name} Let's take /api/baskets/{name} API as an example, another API is the same vulnerability. We use the following payload to post /api/baskets/{name} API： \`\`\` { "forward\_url": "http://127.0.0.1:80/test", "proxy\_response": false, "insecure\_tls": false, "expand\_path": true, "capacity": 250 } \`\`\` !\[\](https://notes.sjtu.edu.cn/uploads/upload\_2f8962255d21885cb2c34b95a1baa801.png) Direct post can only set the url, you need to visit the url - http://192.168.175.213:55555/test to trigger the SSRF vulnerability. !\[\](https://notes.sjtu.edu.cn/uploads/upload\_8371c9701d7823878b9cc0cb4a6d44b4.png) # Influence： \*\*Information Disclosure and Exfiltration\*\* This was previously identified as an issue. Requests for images that are unauthenticated can lead to the leak of all existing images in the server. However, this isn't limited to just images. Any resource that can be obtained via an HTTP request on the local network of the webserver can be obtained remotely via this request. \*\*Unauthenticated Access to Internal Network HTTP Servers\*\* The SSRF attack can be leveraged to connect to any HTTP Server connected to the same network as the request-baskets server, for instance an Nginx server exposed only internally, an internal RESTful API, such as a NoSQL database, or a GraphQL database. This is not limited just to services hosted on the local machine, but all the machines connected on the local network. \*\*Port and IP Scanning and Enumeration\*\* This vulnerability can be leveraged to port scan for HTTP servers both internal and external services on demand, as well as enumerating all the machines in the local network that have open HTTP ports.

CVE-2023-27163: request-baskets SSRF details - CodiMD

\# openapi-generator API SSRF details When we tested the official demo website of openapi-generator, we found SSRF vulnerabilities in the following APIs, which proves that openapi-generator also has this SSRF vulnerability. The following API's openAPIUrl parameter is vulnerable to SSRF: 1. /api/gen/clients/{language} 2. /api/gen/servers/{framework} Let’s take /api/gen/clients/{language} API as an example, another API is the same vulnerability. We modify the original API request parameters, here we use dnsLog to verify the existence of SSRF vulnerabilities. !\[\](https://notes.sjtu.edu.cn/uploads/upload\_27041c70c32fc6630d4507d38436e91b.png) The dnslog records are as follows： !\[\](https://notes.sjtu.edu.cn/uploads/upload\_6593542e6d7d269dbbd1e48c39e785ec.png) This confirms the existence of the SSRF vulnerability. # Influence： \*\*Information Disclosure and Exfiltration\*\* This was previously identified as an issue. Requests for images that are unauthenticated can lead to the leak of all existing images in the server. However, this isn't limited to just images. Any resource that can be obtained via an HTTP request on the local network of the webserver can be obtained remotely via this request. \*\*Unauthenticated Access to Internal Network HTTP Servers\*\* The SSRF attack can be leveraged to connect to any HTTP Server connected to the same network as the openapi-generator server, for instance an Nginx server exposed only internally, an internal RESTful API, such as a NoSQL database, or a GraphQL database. This is not limited just to services hosted on the local machine, but all the machines connected on the local network. \*\*Port and IP Scanning and Enumeration\*\* This vulnerability can be leveraged to port scan for HTTP servers both internal and external services on demand, as well as enumerating all the machines in the local network that have open HTTP ports.

CVE-2023-27162: openapi-generator API SSRF details - CodiMD

forem up to v2022.11.11 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /articles/{id}. This vulnerability allows attackers to access network resources and sensitive information via a crafted POST request.

  
**Forem 🌱**

**For Empowering Community**

   

Welcome to the Forem codebase, the platform that powers dev.to. We are so excited to have you. With your help, we can build out Forem’s usability, scalability, and stability to better serve our communities.

**What is Forem?**

Forem is open source software for building communities. Communities for your peers, customers, fanbases, families, friends, and any other time and space where people need to come together to be part of a collective. See our announcement post for a high-level overview of what Forem is.

dev.to (or just DEV) is hosted by Forem. It is a community of software developers who write articles, take part in discussions, and build their professional profiles. We value supportive and constructive dialogue in the pursuit of great code and career growth for all members. The ecosystem spans from beginner to advanced developers, and all are welcome to find their place within our community. ❤️

**Table of Contents**

*   What is Forem?
*   Table of Contents
*   Community
*   Contributing
*   Getting Started
    *   Prerequisites
        *   Local
        *   Containers
    *   Installation Documentation
*   Developer Documentation
*   Core team
*   Vulnerability disclosure
*   Acknowledgements
*   License

**Community**

For a place to have open discussions on features, voice your ideas, or get help with general questions please visit our community at forem.dev.

**Contributing**

We encourage you to contribute to Forem! Please check out the Contributing to Forem guide for guidelines about how to proceed.

**Getting Started**

This section provides a high-level quick start guide. If you're looking for a more thorough installation guide (for example with macOS, you'll want to refer to our complete Developer Documentation.

We run on a Rails backend, and we are currently transitioning to a Preact\-first frontend.

A more complete overview of our stack is available in our docs.

To **launch Forem in Gitpod**, navigate to https://gitpod.io/#https://github.com/{your\_github\_username}/forem.

**Prerequisites****Local**

*   Ruby: we recommend using rbenv to install the Ruby version listed on the badge.
*   Yarn 1.x: please refer to their installation guide.
*   PostgreSQL 11 or higher.
*   ImageMagick: please refer to ImageMagick's installation instructions.
*   Redis 4 or higher.

**Containers**

**Linux**

*   Podman 1.9.2 or higher
*   Podman Compose 0.1.5 or higher

**OS X**

*   Docker Desktop for Mac

**Installation Documentation**

Please see our installation guides, such as the one for macOS.

**Developer Documentation**

Check out our dedicated docs page for more technical documentation.

**Core team**

*   @benhalpern
*   @jessleenyc
*   @peterkimfrank
*   @maestromac
*   @lightalloy
*   @ridhwana
*   @rt4914
*   @jaw6
*   @lboogie2004
*   @klardotsh

**Vulnerability disclosure**

Forem is the open source software which powers DEV.

We welcome security research on DEV under the terms of our vulnerability disclosure policy.

**Acknowledgements**

Thank you to the Twemoji project for the usage of their emojis.

**License**

This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. Please see the LICENSE file in our repository for the full text.

Like many open source projects, we require that contributors provide us with a Contributor License Agreement (CLA). By submitting code to the Forem project, you are granting us a right to use that code under the terms of the CLA.

Our version of the CLA was adapted from the Microsoft Contributor License Agreement, which they generously made available to the public domain under Creative Commons CC0 1.0 Universal.

Any questions, please refer to our license FAQ doc or email yo@dev.to.

  
**Happy Coding** ❤️

⬆ Back to Top

Tag

#ssrf