Server-Side Request Forgery vulnerability affecting DELMIA Apriso Release 2017 through Release 2022

Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability exists in DELMIA Apriso versions Release 2017 through Release 2022 [1]. The flaw allows an unauthenticated attacker to make arbitrary HTTP requests from the server running the application, potentially reaching internal or external hosts that the server can access.

Exploitation

An attacker can exploit the vulnerability remotely without any prior authentication [1]. The exact attack vector is not detailed in the available references, but typical SSRF exploitation involves manipulating URL parameters or request data to force the server to send crafted requests to attacker-chosen hosts. No user interaction is required.

Impact

Successful exploitation enables the attacker to issue requests to arbitrary hosts on behalf of the DELMIA Apriso server [1]. This could lead to information disclosure from internal services, port scanning of internal networks, or further attacks against other systems that trust the server's origin. The full scope of compromise depends on the server's network permissions and accessible resources.

Mitigation

Dassault Systèmes has not yet published a security fix or workaround in the referenced advisory as of the publication date [1]. Users should monitor the vendor advisory page for updates. No indication of inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog was found in the provided references.