SUMMARY We have identified and verified an SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. AFFECTED COMPONENTS (VERIFIED) Webhook Creation (pkg/ssh/cmd/webhooks.go:125) Backend CreateWebhook (pkg/backend/webhooks.go:17) Backend UpdateWebhook (pkg/backend/webhooks.go:122) Webhook Delivery (pkg/webhook/webhook.go:97) IMPACT This vulnerability allows repository administrators to perform SSRF attacks, potentially enabling: a) Cloud Metadata Theft - Access AWS/Azure/GCP credentials via 169.254.169.254 b) Internal Network …
In several places where the user can insert data (e.g. names), ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same token, git messages, when printed, are also not being sanitized. Places in which this was found: Repository Description (pkg/backend/repo.go - SetDescription) Repository Project Name (pkg/backend/repo.go - SetProjectName) Git Commit Author Names (pkg/ssh/cmd/commit.go:69) Git Commit Messages (pkg/ssh/cmd/commit.go:71) Access Token …
Attackers can create/override arbitrary files with uncontrolled data. For a PoC, spin up an instance of soft-serve as explained in the README, and execute the following command: ssh -p23231 localhost repo commit icecream – –output=/tmp/pwned It should have created a file in /tmp/pwned.
Attackers can create/override arbitrary files with uncontrolled data. For a PoC, spin up an instance of soft-serve as explained in the README, and execute the following command: ssh -p23231 localhost repo commit icecream – –output=/tmp/pwned It should have created a file in /tmp/pwned.
Path traversal attack gives access to existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without explicitly giving them permissions.