obs-service-download_files allows downloading from localhost or intranet hosts

Vulnerability

A externally controlled reference to a resource in another sphere (SSRF) vulnerability exists in obs-service-download_files of openSUSE Open Build Service. The service allows authenticated users to specify arbitrary source URLs in spec files, such as http://localhost:5352/build/_workerstatus. This enables the service to perform HTTP, HTTPS, or FTP requests against internal networks, including localhost and intranet hosts. The issue affects all versions of openSUSE Open Build Service using the obs-service-download_files component. Similar issues also exist in download_src_package and download_url services [1].

Exploitation

An authenticated user can craft a spec file with a Source0 URL pointing to an internal host (e.g., localhost, intranet, DMZ). The download_files service will execute a GET request to that URL and store the response. The attacker can then retrieve the stored data using osc cat home://_service:download_files:_workerstatus. No additional privileges beyond authentication are required [1].

Impact

Successful exploitation allows an attacker to probe internal services, read data from internal HTTP/HTTPS/FTP servers, and potentially exfiltrate sensitive information. The response is stored on the OBS server and accessible to the attacker, leading to information disclosure of internal network resources [1].

Mitigation

As of the latest available references, no official patch has been released for this vulnerability. Users should restrict access to the download_files service or implement network-level controls (e.g., firewalls, proxy filtering) to prevent requests to internal hosts. The bug report remains unresolved as of the last comment in 2019 [1].