CVE-2023-32750

Vulnerability

Pydio Cells versions up to and including 4.1.2 contain a server-side request forgery (SSRF) vulnerability in the background job system. The job named "remote-download" accepts parameters "urls" (a list of URLs) and "target" (a file path). When triggered via the REST API, the server sends HTTP GET requests to the specified URLs and saves the response contents to a new file in the user-specified folder [1]. Affected versions include all releases through 4.1.2, with fixes introduced in versions 4.2.0, 4.1.3, and 3.0.12 [1].

Exploitation

An attacker must have a valid authenticated session (e.g., a Bearer token) to submit a job via a PUT request to /a/jobs/user/remote-download. The request body contains a JSON object with the JobName set to "remote-download" and JSON parameters including the "urls" array and a "target" path [1]. No additional privileges beyond a standard user account are required. The job runs asynchronously, and the server issues the GET requests from its own network context [1].

Impact

Successful exploitation allows the attacker to force the Pydio Cells server to make HTTP GET requests to any reachable URL. This can be used to probe internal network services, access cloud metadata endpoints, or retrieve external content. The response body is stored as a file in a folder the attacker can access, potentially leading to information disclosure or further attacks [1]. The compromise operates at the server's privilege level.

Mitigation

Fixed versions are 4.2.0, 4.1.3, and 3.0.12 [1]. Users of affected versions should upgrade to one of these releases. No workarounds are documented in the available references; upgrading is the recommended action.