We have identified a Server-Side Request Forgery (SSRF) vulnerability in makeplane/plane. This issue may allow an attacker to send arbitrary requests from the server hosting the application, potentially leading to unauthorized access to internal systems.
Impact
The impact of this vulnerability includes, but is not limited to:
- Unauthorized access to internal services accessible from the server.
- Potential leakage of sensitive information from internal services.
- Manipulation of internal systems by interacting with internal APIs.
Affected Components
Version(s) Affected: <= v0.16-dev
Fixed in Version: v0.17-dev
SSRF vulnerabilities occur when an attacker can control the server's HTTP requests to arbitrary locations. In our case, jira importer API can be used as a proxy to make a request to any other server. This could allow an attacker to use host machine as a poxy and hide all activity.
Mitigation and Remediation
We strongly recommend all users to update to the latest version of Plane, where this vulnerability has been addressed. If you are unable to update immediately, consider the following mitigation steps:
- Restrict outgoing network connections from servers hosting the application to essential services only.
- Implement strict input validation on URLs or parameters that are used to generate server-side requests.
References
#3333
#3323
sylwia-budzynska Reporter
We have identified a Server-Side Request Forgery (SSRF) vulnerability in makeplane/plane. This issue may allow an attacker to send arbitrary requests from the server hosting the application, potentially leading to unauthorized access to internal systems.
Impact
The impact of this vulnerability includes, but is not limited to:
Affected Components
Version(s) Affected: <= v0.16-dev
Fixed in Version: v0.17-dev
SSRF vulnerabilities occur when an attacker can control the server's HTTP requests to arbitrary locations. In our case, jira importer API can be used as a proxy to make a request to any other server. This could allow an attacker to use host machine as a poxy and hide all activity.
Mitigation and Remediation
We strongly recommend all users to update to the latest version of Plane, where this vulnerability has been addressed. If you are unable to update immediately, consider the following mitigation steps:
References
#3333
#3323