Submeter #805708: jeecgboot JeecgBoot <= v3.9.1 SSRFinformação

Títulojeecgboot JeecgBoot <= v3.9.1 SSRF
DescriçãoA second-order Server-Side Request Forgery (SSRF) vulnerability exists in the OpenApi service of jeecgboot_JeecgBoot. The /openapi/add endpoint lacks proper authorization (missing @RequiresPermissions) and input validation, allowing any authenticated user to inject malicious URLs into the originUrl database field. When the /openapi/call/{path} endpoint is subsequently invoked, the application retrieves the unvalidated URL and makes an outbound HTTP request using restTemplate.exchange(). This allows attackers to bypass network segmentation, scan internal network services, and exfiltrate sensitive cloud metadata or local credentials.
Fonte⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9554
Utilizador
 Ana10gy (UID 93358)
Submissão15/04/2026 17h16 (há 2 meses)
Moderação01/05/2026 13h58 (16 days later)
EstadoAceite
Entrada VulDB360561 [JeecgBoot até 3.9.1 OpenApi Service OpenApiController.java OpenApiController.add/OpenApiController.call originUrl database Elevação de Privilégios]
Pontos20

VoltarVisão GeralPróximo

Want to stay up to date on a daily basis?

Enable the mail alert feature now!