CVE-2022-4096 Server-Side Request Forgery (SSRF) in GitHub repository appsmithorg/appsmith prior to 1.8.2.

This is a serious issue that can be exploited by a remote attacker to perform unauthorized actions on your app.

In case you are using a version prior to 1.8.2, you need to upgrade to the latest version as soon as possible.

What if you are using an older version of AppSmith?

If you are using anything below 1.8.2, you are exposing your app to Critical SSRF vulnerability. What to do? Upgrade to 1.8.2 as soon as possible.
signing in with GitHub does not protect your app from SSRF.

References:

1. https://medium.com/@navi_dev/how-to-avoid-the-5-most-common-mistakes-in-outsourcing-seo-c9f2d159b7e0

How can SSRF occur in AppSmith?

SSRF can occur in AppSmith if you are using a version prior to 1.8.2 and you are attempting to perform an action on your app's GitHub repository by clicking on the "Log In" button.
Below is a screenshot of the vulnerability:
When GitHub tries to fetch the user's credentials, it sends its GET request without any SSL certificate and hence, any attacker can make requests on your website without requiring a username or password.

How SSRF is exploited?

SSRF is a serious vulnerability and can be exploited by a remote attacker to perform unauthorized actions on your app. This is accomplished by sending specially crafted requests to the vulnerable endpoint that result in execution of arbitrary code on the server machine.

In case you are using an older version of AppSmith, you need to upgrade to the latest version as soon as possible.

How does SSRF work?

SSRF stands for Server Side Request Forgery. It is the act of performing unauthorized actions on a server by sending a request to the wrong location on the server.
Server Side Request Forgery attacks are possible when an application is hosted on an unpatched version of PHP, Web API, or other software that does not protect against SSRF attacks. The attacker just needs to find a way to issue requests that arrives at the right location in order to perform unauthorized action.

How to use SSRF to perform unauthorized actions on your app?

As for AppSmith, you should upgrade to 1.8.2 or later as soon as possible. You can also disable the Login feature of your app by disabling "Login with GitHub" and following these steps:
1) Open your .env file
2) Change ATS_LOGIN_GITHUB_REDIRECT to false (or whatever value you want).

Timeline

Published on: 11/21/2022 15:15:00 UTC
Last modified on: 11/23/2022 15:57:00 UTC

References

• https://huntr.dev/bounties/7969e834-5982-456e-9683-861a7a5e2d22
• https://github.com/appsmithorg/appsmith/commit/769719ccfe667f059fe0b107a19ec9feb90f2e40
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4096