PartKeepr v1.4.0 url attachment 'add parts' - SSRF
4,3
Medium
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
PartKeepr v1.4.0 url attachment 'add parts' - SSRF
Code name
State
Public
Release date
9 ene 2022
Affected product
PartKeepr
Affected version(s)
v1.4.0
Vulnerability name
Server Side Request Forgery
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS v3.1 base score
4.3
Exploit available
No
CVE ID(s)
Description
In PartKeepr versions up to and including 1.4.0, the functionality to upload attachments using a URL when creating a part does not validate that requests can be made to local ports, allowing an authenticated user to carry out SSRF attacks and port enumeration.
Proof of Concept
Go to 'Add Part'.
Click on 'Attachments'.
Click on 'Add'.
Fill the 'URL' field with an url using a local port "http://127.0.0.1:3306".
Click on 'Upload'.
Click on the uploaded file in order to download the file and see the content.
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
By 2022-01-04 there is not a patch resolving the issue.
References
Timeline
IA generativa
3 ene 2022
Vendor contacted
4 ene 2022
Public disclosure
9 ene 2022
