A Security Advisory has been raised for Haven v5d15944 (CVE-2023-24060):
Description:
Haven v5d15944 allows Server-Side Request Forgery (SSRF) via the Feeds functionality.
Malicious authenticated users with the ability to create or add RSS Feeds to the website can supply an arbitrary host such as the host itself in an attempt to scan the internal network.
Suggested Fix:
Consider performing this action on the client-side. There's no need for the server to fetch the RSS feed, have the user's browser fetch the latest feed when loading the page. This would also remove the need to have a script that will execute every so often to update the RSS feed.
Thanks for the report. Right now the only user who can modify feeds is the admin for a Haven so this seems pretty low risk. Hosted Havens each run in their own (virtual) network for further isolation. There are future plans I have for Haven where this will be more significant--I'll have to think about how I want to approach resolution.
A Security Advisory has been raised for Haven v5d15944 (CVE-2023-24060):
Description:
Haven v5d15944 allows Server-Side Request Forgery (SSRF) via the Feeds functionality.
Malicious authenticated users with the ability to create or add RSS Feeds to the website can supply an arbitrary host such as the host itself in an attempt to scan the internal network.
Affected URL (Parameter):
http://localhost:3000/feeds (url)
Suggested Fix:
Consider performing this action on the client-side. There's no need for the server to fetch the RSS feed, have the user's browser fetch the latest feed when loading the page. This would also remove the need to have a script that will execute every so often to update the RSS feed.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24060
https://nvd.nist.gov/vuln/detail/CVE-2023-24060
https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
Payload:
The text was updated successfully, but these errors were encountered: