🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read more

Authors : Sparsh Kulshrestha and Shashank Bharthwal
Editor : Deepanjli Paulraj
| THREAT | IMPACT | MITIGATION | 
|---|---|---|
| CloudSEK ASM discovered post-authentication full read SSRF (Server-side request forgery) vulnerabilities in Appsmith’s REST Client (CVE-2022-38298) and Elasticsearch (CVE-2022-38299). | The SSRF vulnerability can be exploited to access AWS/GCP metadata services and obtain temporary security credentials of the Appsmith cloud environment. | 
 | 
In August 2022 CloudSEK ASM, which monitors our customers’ attack surfaces, discovered several internet exposed instances of Appsmith. Given that the instances were externally exposed, CloudSEK security researchers explored them for possible pre and post authentication vulnerabilities.
Since Appsmith does not have signup restrictions in the default installation, we focused on its post-auth functionalities, where we discovered Server Side Request Forgery (SSRF) vulnerabilities in its REST API plugin (CVE-2022-38298) and Elasticsearch (CVE-2022-38299), respectively.
SSRF vulnerabilities can be exploited to access the internal metadata of AWS/GCP. Since Appsmith offers a cloud version of their software hosted on AWS, SSRF vulnerabilities can have a high impact.
Appsmith is an open-source low-code tool that helps developers build dashboards and admin panels very quickly. It’s a platform that helps businesses build any custom internal application within hours.
Appsmith dashboards and panels can be set up in 4 steps:
One of Appsmith’s post-authentication functionalities allows users to connect to data sources using REST APIs. Appsmith’s REST Client can be used to invoke a REST Service API to create and execute queries. It can handle HTTP requests ranging from GET, POST, PUT, and PATCH, and users can also specify headers, if required, for authentication.

On replacing the API URL with a Burp Collaborator’s payload, we received an HTTP pingback immediately. However, when we tried to access the internal AWS metadata, we received a “Host not allowed” error.

Since Appsmith is an open-source tool, we reviewed the code for this functionality and found that there is blacklist-based prevention that restricts users from accessing AWS metadata.
| private static final Set<String> DISALLOWED_HOSTS = Set.of( | 
|---|
List of Disallowed Domains
| final String host = uri.getHost(); | 
|---|
Condition to validate hostname
In an attempt to bypass the SSRF blacklist protection, we implemented a redirection server that redirects the decoy request to the blacklisted server.

So, we set up a PHP redirect server, on our VPS, that redirects incoming requests to the AWS internal metadata endpoint. In this way, we were able to exploit this SSRF vulnerability. The following redirect.php file was hosted on our VPS:
| <?php | 
|---|
Redirect.php file content
Then we made a request to the above file from the Appsmith REST API and in response, we received the metadata from the AWS/GCP cloud.


One of Appsmith’s post-authentication functionalities allows users to connect to Elasticsearch databases as data sources.

Once the Elasticsearch database has been connected, select the query method and enter the path. We added the following path: /latest/meta-data/iam/security-credentials/. Leave the Body blank.


When this query is run, it returns the temporary security credentials for your AWS role.

While a post-authentication SSRF is not new, it can have significant impact since Appsmith offers a cloud version of their software hosted on AWS. Also, Appsmith does not have a signup restriction in the default installation. So if an Appsmith instance is exposed to the internet, anyone can signup and have access to the vulnerable functionality that has this SSRF vulnerability.
In this case, the SSRF vulnerabilities can be exploited to the AWS metadata IP address and obtain temporary security credentials to the cloud environment of self-hosted Appsmith.
This can have large-scale impact, given that over a 1000 Appsmith instances are exposed on the internet:

CloudSEK submitted this vulnerability to Appsmith via their well-defined vulnerability disclosure process. Subsequently, the Appsmith team fixed this issue in their next release. Appsmith versions 1.7.12 and above do not have this vulnerability.
Timeline for this disclosure process can be found below: