CVE-2024-33117

Vulnerability

crmeb_java v1.3.4 contains a Server-Side Request Forgery (SSRF) vulnerability in the mergeList method of the com.zbkj.front.pub.ImageMergeController class [1]. The method fails to validate user-supplied URLs, enabling the server to make requests to arbitrary internal or external resources.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable endpoint, providing a malicious URL as input. No authentication or special privileges are required if the endpoint is publicly accessible. The server will then make a request to the attacker-controlled URL, potentially reaching internal systems [1].

Impact

Successful exploitation allows an attacker to perform network reconnaissance, access internal services, or retrieve sensitive data such as cloud metadata. The attack is limited by the server's network privileges, but it can lead to further compromise of internal infrastructure [1].

Mitigation

As of the publication date (2024-05-06), no patched version has been released by the vendor. Users are advised to implement input validation for URL parameters, restrict outbound network access from the application server, and monitor for suspicious requests. No workaround is provided in the available references [1].