Severity: high

Server-Side Request Forgery

terriajs-server

Overview

Versions of terriajs-serverprior to 2.7.4 are vulnerable to Server-Side Request Forgery (SSRF). If an attacker has access to a server whitelisted by the terriajs-server proxy or if the attacker is able to modify the DNS records of a domain whitelisted by the terriajs-server proxy, the attacker can use the terriajs-server proxy to access any HTTP-accessible resources that are accessible to the server, including private resources in the hosting environment.

Remediation

Upgrade to version 2.7.4 or later.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Jan 15th, 2019
  2. reported

    Jan 15th, 2019