Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA3MnAtcmpyMi1yNDM5
Server-Side Request Forgery in terriajs-server
Versions of terriajs-server
prior to 2.7.4 are vulnerable to Server-Side Request Forgery (SSRF). If an attacker has access to a server whitelisted by the terriajs-server proxy or if the attacker is able to modify the DNS records of a domain whitelisted by the terriajs-server proxy, the attacker can use the terriajs-server proxy to access any HTTP-accessible resources that are accessible to the server, including private resources in the hosting environment.
Recommendation
Upgrade to version 2.7.4 or later.
Permalink: https://github.com/advisories/GHSA-p72p-rjr2-r439JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA3MnAtcmpyMi1yNDM5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago
Identifiers: GHSA-p72p-rjr2-r439
References:
- https://github.com/TerriaJS/terriajs-server/commit/3cbc48475f50a53962f605491d0e60648a29bdf0
- https://medium.com/terria/security-vulnerability-in-terriajs-server-82c8bf4da0a5
- https://www.npmjs.com/advisories/768
- https://github.com/advisories/GHSA-p72p-rjr2-r439
Blast Radius: 0.0
Affected Packages
npm:terriajs-server
Dependent packages: 7Dependent repositories: 43
Downloads: 1,411 last month
Affected Version Ranges: < 2.7.4
Fixed in: 2.7.4
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.7.0, 2.7.1, 2.7.2, 2.7.3
All unaffected versions: 2.7.4, 2.8.0, 2.9.0, 2.9.1, 2.9.2, 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 4.0.0, 4.0.1