漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Appsmith: SSRF in REST API / GraphQL datasource plugins via insufficient host denylist
Vulnerability Description
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive address-class check (loopback, any-local, link-local, fc00::/7) exists only on a separate code path used by SMTP, not by the HTTP plugin path. As a result, an authenticated user can craft outbound requests that reach loopback-bound services inside the container. This vulnerability is fixed in 2.1.
CVSS Information
N/A
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
Appsmith 服务端请求伪造漏洞
Vulnerability Description
Appsmith是Appsmith团队开源的一个用于构建、部署和维护内部应用程序的开源平台。 Appsmith 2.1之前版本存在服务端请求伪造漏洞,该漏洞源于WebClientUtils应用的外发HTTP主机过滤器仅根据精确匹配字符串黑名单验证主机,而全面的地址类检查仅存在于SMTP的单独代码路径中,可能导致经过身份验证的用户构造外发请求访问容器内的回环绑定服务。
CVSS Information
N/A
Vulnerability Type
N/A