CVE-2024-5526 with a critical CVSS3.1 score: 9.1
During my research on the open source Grafana application I found a way to perform an SSRF attack (server side request forgery) via the OnCall functionality. This allowed users to let the server perform HTTP requests and retrieve the AWS metadata credentials for example. Grafana Labs assigned a CVE (https://nvd.nist.gov/vuln/detail/CVE-2024-5526) to this issue and resolved it in a timely manner.
What is SSRF?
Server-Side Request Forgery (SSRF) is a web security vulnerability that allows an attacker to make the server-side application send HTTP requests to an unintended location on behalf of the attacker. This vulnerability occurs when a web application doesn’t validate or sanitize user input for URLs before sending requests.
Suppose an application fetches data from a URL provided by the user. An SSRF attack might exploit this by sending a URL that targets internal services:
http://example.com/fetch?url=http://internal-system/admin
Here, ‘http://internal-system/admin'
could be an internal management endpoint not meant for public access, but the SSRF vulnerability allows it to be accessed via the application’s backend.
Dangers of SSRF
SSRF attacks can lead to several severe security issues, including:
Accessing Internal Systems: Attackers can interact with internal services or databases that are not exposed to the internet, potentially leading to data leakage or unauthorized actions.
Port Scanning: An attacker can perform port scanning on internal networks to discover other vulnerable services and systems.
Sensitive Data Exposure: The application might reveal sensitive information from internal services, like metadata, configuration files, or internal IP addresses.
Bypassing Access Controls: SSRF can bypass security controls by exploiting trust relationships within a network, such as accessing a private network behind a firewall.
Exploiting Other Vulnerabilities: An SSRF vulnerability might be a stepping stone to exploiting other vulnerabilities, like Remote Code Execution (RCE) or further lateral movement within the network.