Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 8.8
-
Fix Version/s: 8.9
-
Component/s: None
-
Labels:
-
Edition:Community
-
Production Notes:None
Description
Webhooks are exposed to a Blind Server-Side Request Forgery vulnerability: local IPs of the instance can be invoked.
From now on, by default, webhooks are not allowed to point to the local IPs of the instance, nor the loopback address.
You can change this behavior in the global configuration: Administration > General Settings > Security, setting "Enable local webhooks validation" to false.
Disabling this setting can expose the instance to security risks.