PartKeepr v1.4.0 url attachment 'add parts' - SSRF

Summary

NamePartKeepr v1.4.0 url attachment 'add parts' - SSRF
Code nameJoplin
ProductPartKeepr
Versionsv1.4.0
StatePublic
Release date2022-01-09

Vulnerability

KindServer Side Request Forgery
Rule100. Server-side request forgery (SSRF)
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSSv3 Base Score4.3
Exploit availableNo
CVE ID(s)CVE-2022-22702

Description

In PartKeepr versions up to and including 1.4.0, the functionality to upload attachments using a URL when creating a part does not validate that requests can be made to local ports, allowing an authenticated user to carry out SSRF attacks and port enumeration.

Proof of Concept

  • Go to 'Add Part'.
  • Click on 'Attachments'.
  • Click on 'Add'.
  • Fill the 'URL' field with an url using a local port "http://127.0.0.1:3306".
  • Click on 'Upload'.
  • Click on the uploaded file in order to download the file and see the content.

Exploit

There is no exploit for the vulnerability but can be manually exploited.

Mitigation

By 2022-01-04 there is not a patch resolving the issue.

Credits

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

References

Vendor page https://partkeepr.org/

Issue https://github.com/partkeepr/PartKeepr/issues/1230/

Timeline

Time-lapse-logo

2022-01-03

Vulnerability discovered.

Time-lapse-logo

2022-01-04

Vendor contacted.

Time-lapse-logo

2022-01-09

Public Disclosure.