إرسال #805707: jeecgboot JeecgBoot <= v3.9.1 SSRFالمعلومات

عنوانjeecgboot JeecgBoot <= v3.9.1 SSRF
الوصفA second-order Server-Side Request Forgery (SSRF) vulnerability exists in the announcement file download feature of jeecgboot_JeecgBoot. An attacker can inject malicious HTTP URLs into the files field of an announcement via the POST /sys/annountCement/add endpoint, as the application fails to perform URL or IP validation. When a user or administrator subsequently triggers a download of the announcement attachments via the GET /sys/annountCement/downLoadFiles endpoint, the server fetches the injected URLs using HttpURLConnection without SSRF protections. This vulnerability allows attackers to scan internal networks, access local services, and retrieve sensitive data such as cloud metadata.
المصدر⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9553
المستخدم
 Ana10gy (UID 93358)
ارسال15/04/2026 05:16 PM (2 أشهر منذ)
الاعتدال01/05/2026 01:58 PM (16 days later)
الحالةتمت الموافقة
إدخال VulDB360560 [JeecgBoot حتى 3.9.1 LoadFile Endpoint FileDownloadUtils.jav checkPathTraversalBatch files تجاوز الصلاحيات]
النقاط20

التالي نظرة عامة السابق

Want to stay up to date on a daily basis?

Enable the mail alert feature now!