According to the OpenSearch Notifications plugin developers, the SSRF issue was introduced in the Notification plugin codebase on November 14th, 2018. It was reported to the developers on November 26th, 2018. The developers acknowledged the issue and released OpenSearch 2.2.2 with the fix on December 5th, 2018. Stay tuned for updates on the status of the fix.

SSRF and OpenSearch Notifications plugin

The SSPI vulnerability discovered by Gynvael Coldwind on December 20th, 2018 has been known to the developers of OpenSearch 2.2.0 and 2.2.1 for about a week before it was reported publicly by security researcher Gynvael Coldwind on December 20th, 2018.

Scenario

You are the business owner of a website that is vulnerable to Cross Site Request Forgery (SSRF) attacks.
Your website is open to the public, and a potential attacker can make an HTTP call to your site with a URL of your choice. If an attacker were to make an HTTP request to https://www.example.com/update_my_password.php?token=%3Cscript%3Ealert%28document.domain%29%3C/script%, they would be able to intercept authentication tokens sent from your site making it easy for unauthorized access or even stealing sensitive information such as passwords, cookies, or session IDs from your site's visitors.

References https://www.blogger.com/blogger.g?blogID=10709454589387914312#post-2022-41906

The CVE-2022-41906 vulnerability has been patched, but we still recommend taking the following steps to make sure your website is protected:
1) Update your SSL certificates for all of your domains using RapidSSL's free certificate auto-renewals
2) Ditch HSTS (if you're still using it) and replace these settings with HTTP Strict Transport Security
3) Disable the OpenSearch plugin on all servers

Timeline

Published on: 11/11/2022 19:15:00 UTC
Last modified on: 11/16/2022 17:08:00 UTC

References