| タイトル | jeecgboot JeecgBoot JeecgBoot versions containing the vulnerable /sys/common/uploadImgByHttp implementation before vendor fix Server-Side Request Forgery |
|---|
| 説明 | An authenticated server-side request forgery vulnerability exists in JeecgBoot's remote image upload functionality.
The endpoint /sys/common/uploadImgByHttp accepts a user-controlled remote image URL. The application converts the remote URL into a multipart file by opening an outbound HTTP connection before the SSRF/file-type protection check is performed.
Source-level chain:
POST /sys/common/uploadImgByHttp
→ CommonController.uploadImgByHttp(@RequestBody JSONObject)
→ user-controlled remote URL
→ HttpFileToMultipartFileUtil.httpFileToMultipartFile(fileUrl, filename)
→ downloadImageData(fileUrl)
→ new URL(fileUrl)
→ HttpURLConnection.openConnection()
→ connection.setRequestMethod("GET")
→ server sends outbound request
→ SsrfFileTypeFilter.checkUploadFileType(...) runs afterward
Because the network request is sent before SSRF validation, an authenticated attacker can cause the server to request attacker-controlled URLs or internal HTTP services. This may allow internal network probing or access to services reachable from the JeecgBoot server, depending on the deployment environment.
The issue is caused by performing SSRF/file validation after the outbound request has already occurred. |
|---|
| ソース | ⚠️ https://github.com/jeecgboot/jeecg-boot |
|---|
| ユーザー | feng123123 (UID 95215) |
|---|
| 送信 | 2026年04月26日 07:35 (1 月 ago) |
|---|
| モデレーション | 2026年05月23日 16:08 (27 days later) |
|---|
| ステータス | 重複 |
|---|
| VulDBエントリ | 347315 [JeecgBoot 3.9.0 uploadImgByHttp fileUrl 特権昇格] |
|---|
| ポイント | 0 |
|---|