Mend Vulnerability Database
What is a CVE vulnerability ID? What is a WS vulnerability ID? What is an MSC vulnerability ID?New vulnerability? Tell us about it!
We found results for “”
Date: February 9, 2022
OverviewIn ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. This feature does not enforce proper filtering of requests performed internally, which can be abused by a highly-privileged attacker to perform blind SSRF and send internal requests to localhost.
DetailsArangoDB is a native multi-model database with flexible data models for documents, graphs, and key-values. Affected versions of ArangoDB are vulnerable to Blind SSRF due to improper filtering of requests performed internally, in the feature which allows downloading Foxx services from a publicly available URL. This can be abused by an authenticated attacker to send internal requests to localhost.
Note: ArangoDB 3.8.x version 3.8.5 and onwards are vulnerable to this issue by default, but can be toggled in the startup options. for further information, see this comment: https://github.com/arangodb/arangodb/pull/15344#issue-1079754008
PoC DetailsFor demonstration purposes, we will open a netcat listener on the ArangoDB-installed machine, to demonstrate an open local service.
Login as a highly privileged user. Go to Services, Remote, Enter url. Put the Server’s URL with the open netcat port. Set mount point as mnt/hello.
On the netcat listener terminal, we can see that the request was received internally.
Affected EnvironmentsAll versions of ArangoDB 3.7; All versions of ArangoDB 3.8 (3.8.5 onwards can be mitigated in startup configuration); ArangoDB 3.9 prior to v3.9.0-beta.1
PreventionIf you are using ArangoDB 3.8 or earlier - Upgrade to ArangoDB 3.8.5 or later, and be sure to toggle off the `--foxx.allow-install-from-remote` flag on startup configuration, otherwise the application will still be vulnerable.
If you are using ArangoDB 3.9 - Upgrade to 3.9.0-beta.1 or later.
Good to know:
|Attack Vector (AV):||Network|
|Attack Complexity (AC):||Low|
|Privileges Required (PR):||High|
|User Interaction (UI):||None|
|Access Vector (AV):||Network|
|Access Complexity (AC):||Low|