漏洞标题
在AWS上部署的SSRF实例通过/metadata访问了AnythingLLM
漏洞描述信息
将网页抓取器添加到AnythingLLM意味着,任何具有适当授权级别(经理、管理员和单用户模式)的用户都可以输入URL:
```http
http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance
```
这是一个特殊IP地址和URL,它仅在请求来自EC2实例内部时解析。这将允许用户查看他们特定实例的连接/秘密凭证,并能够管理它,无论最初是谁部署的。
用户需要预先了解目标实例所部署的托管基础设施的知识,但如果发送了请求,则会在EC2上解析并且他们的设置中没有配置适当的`iptable`或防火墙规则。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞类别
授权机制不正确
漏洞标题
SSRF on AWS deployed instances of AnythingLLM via /metadata
漏洞描述信息
The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL
```
http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance
```
which is a special IP and URL that resolves only when the request comes from within an EC2 instance. This would allow the user to see the connection/secret credentials for their specific instance and be able to manage it regardless of who deployed it.
The user would have to have pre-existing knowledge of the hosting infra which the target instance is deployed on, but if sent - would resolve if on EC2 and the proper `iptable` or firewall rule is not configured for their setup.
CVSS信息
N/A
漏洞类别
服务端请求伪造(SSRF)
漏洞标题
AnythingLLM 代码问题漏洞
漏洞描述信息
AnythingLLM是符合业务要求的文档聊天机器人。 AnythingLLM 存在代码问题漏洞,该漏洞源于存在服务器端请求伪造漏洞。通过该漏洞可以获取AWS服务器数据。
CVSS信息
N/A
漏洞类别
代码问题