[SONAR-14682] Fix Blind Server-Side Request Forgery (SSRF) in Webhook - SonarSource

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 8.8
Fix Version/s: 8.9
Component/s: None
Labels:
- hardening-LTS-8.x

Edition:
Community
Production Notes:
None

Description

Webhooks are exposed to a Blind Server-Side Request Forgery vulnerability: local IPs of the instance can be invoked.

From now on, by default, webhooks are not allowed to point to the local IPs of the instance, nor the loopback address.
You can change this behavior in the global configuration: Administration > General Settings > Security, setting "Enable local webhooks validation" to false.
Disabling this setting can expose the instance to security risks.

Attachments

Activity

People

Assignee:: Belén Pruvost

Reporter:: Belén Pruvost

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Due:: 20/Apr/21

Created:: 09/Apr/21 2:08 PM

Updated:: 04/May/21 5:14 PM

Resolved:: 29/Apr/21 6:27 PM