{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/buildingai/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7065"}],"_cs_exploited":false,"_cs_products":["BuildingAI"],"_cs_severities":["high"],"_cs_tags":["ssrf","cve-2026-7065","web-application"],"_cs_type":"advisory","_cs_vendors":["BidingCC"],"content_html":"\u003cp\u003eBidingCC BuildingAI, up to version 26.0.1, is vulnerable to a server-side request forgery (SSRF) attack. The vulnerability resides within the \u003ccode\u003euploadRemoteFile\u003c/code\u003e function located in \u003ccode\u003epackages/core/src/modules/upload/services/file-storage.service.ts\u003c/code\u003e. An attacker can remotely manipulate the \u003ccode\u003eurl\u003c/code\u003e argument passed to this function to force the server to make requests to arbitrary internal or external resources. This vulnerability has been publicly disclosed and is considered exploitable. The vendor was notified of the issue, but has not responded. Successful exploitation can lead to information disclosure, internal service compromise, or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a BidingCC BuildingAI instance running a vulnerable version (\u0026lt;= 26.0.1).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious URL containing the address of an internal resource or external server.\u003c/li\u003e\n\u003cli\u003eAttacker calls the \u003ccode\u003euploadRemoteFile\u003c/code\u003e API endpoint, providing the crafted URL as the \u003ccode\u003eurl\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003euploadRemoteFile\u003c/code\u003e function, without proper validation, uses the provided URL to initiate a request.\u003c/li\u003e\n\u003cli\u003eThe BuildingAI server makes an HTTP request to the attacker-specified URL.\u003c/li\u003e\n\u003cli\u003eIf the URL points to an internal resource, the server retrieves sensitive data from that resource.\u003c/li\u003e\n\u003cli\u003eIf the URL points to an external server controlled by the attacker, the server may leak internal information (e.g., internal IP addresses) or be used for further attacks.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the response from the manipulated request, achieving information disclosure or a foothold for further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the SSRF vulnerability (CVE-2026-7065) in BidingCC BuildingAI can lead to the exposure of sensitive internal information, such as configuration files, internal service endpoints, and potentially database credentials. This information can be leveraged to further compromise the BuildingAI instance or other internal systems. The impact is significant due to the potential for lateral movement and privilege escalation within the affected organization\u0026rsquo;s infrastructure. The lack of vendor response exacerbates the risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect exploitation attempts against the \u003ccode\u003euploadRemoteFile\u003c/code\u003e endpoint (Log source: webserver).\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization on the \u003ccode\u003eurl\u003c/code\u003e parameter of the \u003ccode\u003euploadRemoteFile\u003c/code\u003e function to prevent arbitrary URL requests (CVE-2026-7065).\u003c/li\u003e\n\u003cli\u003eConsider restricting outbound network access from the BuildingAI server to only necessary resources to limit the impact of successful SSRF attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual requests originating from the BuildingAI server to detect potential SSRF activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-buildingai-ssrf/","summary":"A server-side request forgery (SSRF) vulnerability exists in BidingCC BuildingAI up to version 26.0.1, allowing remote attackers to manipulate the `url` argument in the `uploadRemoteFile` function of `file-storage.service.ts` to conduct SSRF attacks.","title":"BidingCC BuildingAI SSRF Vulnerability (CVE-2026-7065)","url":"https://feed.craftedsignal.io/briefs/2024-01-buildingai-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — BuildingAI","version":"https://jsonfeed.org/version/1.1"}