| 标题 | Bytedesk <=1.3.9 SSRF |
|---|
| 描述 | The endpoint GET /gitee/api/v1/models passes a user-supplied apiUrl parameter directly to RestTemplate.exchange() without any URL validation or allowlist. The server issues an HTTP request to the attacker-controlled URL. DNS callback logs confirm the server-side request originating from the target, enabling SSRF attacks including internal network probing, cloud IMDS access, and potential credential exfiltration.
|
|---|
| 来源 | ⚠️ https://github.com/Bytedesk/bytedesk/issues/21 |
|---|
| 用户 | ZAST.AI (UID 87884) |
|---|
| 提交 | 2026-02-26 07時19分 (1 月前) |
|---|
| 管理 | 2026-03-08 08時20分 (10 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 349756 [Bytedesk 直到 1.3.9 SpringAIGiteeRestController SpringAIGiteeRestService.java getModels apiUrl 权限提升] |
|---|
| 积分 | 19 |
|---|