InfoSec LAB

Sau_CVE-2023-27163

Created: 2 min read

CVE-2023-27163

a vulnerability was found in request-baskets up to 1.2.1 and classified as critical. Affected by this issue is an unknown functionality of the file /api/baskets/{name} of the component API Request Handler. The manipulation with an unknown input leads to a server-side request forgery vulnerability. Using CWE to declare the problem leads to CWE-918. The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Impacted is confidentiality, integrity, and availability.

Exploit

[description]
request-baskets up to v1.2.1 was discovered to contain a Server-Side
Request Forgery (SSRF) via the component /api/baskets/{name}. This
vulnerability allows attackers to access network resources and
sensitive information via a crafted API request.
>
------------------------------------------
>
[VulnerabilityType Other]
Server-Side Request Forgery (SSRF)
>
------------------------------------------
>
[Vendor of Product]
https://github.com/darklynx/request-baskets
>
------------------------------------------
>
[Affected Product Code Base]
request-baskets - <= Version 1.2.1
>
------------------------------------------
>
[Affected Component]
The API endpoints /api/baskets/{name}, /baskets/{name} are vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the forward_url parameter.
>
------------------------------------------
>
[Attack Type]
Remote
>
------------------------------------------
>
[Impact Escalation of Privileges]
true
>
------------------------------------------
>
[Impact Information Disclosure]
true
>
------------------------------------------
>
[Attack Vectors]
POC: POST /api/baskets/{name} API with payload - {"forward_url": "http://127.0.0.1:80/test","proxy_response": false,"insecure_tls": false,"expand_path": true,"capacity": 250}
details can be seen: https://notes.sjtu.edu.cn/s/MUUhEymt7
>
------------------------------------------
>
[Discoverer]
beet1e
>
------------------------------------------
>
[Reference]
http://request-baskets.com
https://github.com/darklynx/request-baskets
https://notes.sjtu.edu.cn/s/MUUhEymt

While there isn’t any public exploit available for the vulnerability, the original author published the disclosure along with the summary

Interactive Graph View

Backlinks