Craft CMS: save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host
The save_images_Asset graphql mutation allows a user to give a url of an image to download. (Url must use a domain, not a raw IP.) Attacker sets up domain attacker.domain with an A record of something like 169.254.169.254 (special AWS metadata IP) Attacker invokes save_images_Asset with url: http://attacker.domain/latest/meta-data/iam/security-credentials and filename "foo.txt" Craft fetches sensitive information on attacker's behalf, and makes it available for download at /assets/images/foo.txt Normal checks to verify …