| 标题 | jeecgboot JeecgBoot JeecgBoot versions containing the vulnerable /sys/common/uploadImgByHttp implementation before vendor fix Server-Side Request Forgery |
|---|
| 描述 | An authenticated server-side request forgery vulnerability exists in JeecgBoot's remote image upload functionality.
The endpoint /sys/common/uploadImgByHttp accepts a user-controlled remote image URL. The application converts the remote URL into a multipart file by opening an outbound HTTP connection before the SSRF/file-type protection check is performed.
Source-level chain:
POST /sys/common/uploadImgByHttp
→ CommonController.uploadImgByHttp(@RequestBody JSONObject)
→ user-controlled remote URL
→ HttpFileToMultipartFileUtil.httpFileToMultipartFile(fileUrl, filename)
→ downloadImageData(fileUrl)
→ new URL(fileUrl)
→ HttpURLConnection.openConnection()
→ connection.setRequestMethod("GET")
→ server sends outbound request
→ SsrfFileTypeFilter.checkUploadFileType(...) runs afterward
Because the network request is sent before SSRF validation, an authenticated attacker can cause the server to request attacker-controlled URLs or internal HTTP services. This may allow internal network probing or access to services reachable from the JeecgBoot server, depending on the deployment environment.
The issue is caused by performing SSRF/file validation after the outbound request has already occurred. |
|---|
| 来源 | ⚠️ https://github.com/jeecgboot/jeecg-boot |
|---|
| 用户 | feng123123 (UID 95215) |
|---|
| 提交 | 2026-04-26 07時35分 (1 月前) |
|---|
| 管理 | 2026-05-23 16時08分 (27 days later) |
|---|
| 状态 | 重复 |
|---|
| VulDB条目 | 347315 [JeecgBoot 3.9.0 uploadImgByHttp fileUrl 权限提升] |
|---|
| 积分 | 0 |
|---|