Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-14682

Fix Blind Server-Side Request Forgery (SSRF) in Webhook

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 8.8
    • Fix Version/s: 8.9
    • Component/s: None
    • Edition:
      Community
    • Production Notes:
      None

      Description

      Webhooks are exposed to a Blind Server-Side Request Forgery vulnerability: local IPs of the instance can be invoked.

      From now on, by default, webhooks are not allowed to point to the local IPs of the instance, nor the loopback address.
      You can change this behavior in the global configuration: Administration > General Settings > Security,  setting "Enable local webhooks validation" to false.
      Disabling this setting can expose the instance to security risks.

        Attachments

          Activity

            People

            Assignee:
            belen.pruvost Belén Pruvost
            Reporter:
            belen.pruvost Belén Pruvost
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Due:
              Created:
              Updated:
              Resolved: