PartKeepr v1.4.0 url attachment 'add parts' - SSRF
Summary
| Name | PartKeepr v1.4.0 url attachment 'add parts' - SSRF |
| Code name | |
| Product | PartKeepr |
| Affected versions | v1.4.0 |
| State | Public |
| Release date | 2022-01-09 |
Vulnerability
| Kind | Server Side Request Forgery |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| CVSSv3.1 Base Score | 4.3 |
| Exploit available | No |
| CVE ID(s) |
Description
In PartKeepr versions up to and including 1.4.0, the functionality to upload attachments using a URL when creating a part does not validate that requests can be made to local ports, allowing an authenticated user to carry out SSRF attacks and port enumeration.
Proof of Concept
- Go to 'Add Part'.
- Click on 'Attachments'.
- Click on 'Add'.
- Fill the 'URL' field with an url using a local port "http://127.0.0.1:3306".
- Click on 'Upload'.
- Click on the uploaded file in order to download the file and see the content.
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
By 2022-01-04 there is not a patch resolving the issue.
Credits
The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.
References
Vendor page https://partkeepr.org/
Issue https://github.com/partkeepr/PartKeepr/issues/1230/
Timeline
2022-01-03
Vulnerability discovered.
2022-01-04
Vendor contacted.
2022-01-09
Public Disclosure.
