{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/monitr/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Monetr"],"_cs_severities":["medium"],"_cs_tags":["ssrf","monitr","github-advisory"],"_cs_type":"advisory","_cs_vendors":["Monetr"],"content_html":"\u003cp\u003eA server-side request forgery (SSRF) vulnerability was identified in the Lunch Flow integration of Monetr, affecting self-hosted instances. This vulnerability allows any authenticated user to cause the Monetr server to issue HTTP GET requests to arbitrary URLs, with the response body from non-200 upstream responses reflected back in the API error message. The URL validator on the \u003ccode\u003ePOST /api/lunch_flow/link\u003c/code\u003e endpoint lacked sufficient filtering, failing to block loopback, RFC1918, link-local, or cloud-provider metadata addresses. This allows attackers to potentially access internal resources or cloud instance metadata. The vulnerability was addressed in Monetr version 1.12.5. The hosted \u003ccode\u003emy.monetr.app\u003c/code\u003e service is not affected because \u003ccode\u003eLunchFlow.Enabled\u003c/code\u003e is set to \u003ccode\u003efalse\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker registers an account on a vulnerable self-hosted Monetr instance where public sign-up is enabled (\u003ccode\u003eAllowSignUp=true\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Monetr instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/api/lunch_flow/link\u003c/code\u003e endpoint, providing a URL pointing to an internal resource, such as a cloud metadata endpoint (e.g., \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Monetr server, due to insufficient URL validation, accepts the malicious URL.\u003c/li\u003e\n\u003cli\u003eThe Monetr server issues an HTTP GET request to the attacker-supplied URL.\u003c/li\u003e\n\u003cli\u003eThe external service or internal resource responds to the Monetr server.\u003c/li\u003e\n\u003cli\u003eIf the response is not a 200 OK, the Monetr server reflects the response body in the API error message within the JSON response to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker observes the reflected response body, potentially revealing sensitive information like cloud instance metadata or internal service details.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability can lead to the exposure of sensitive information, such as cloud instance metadata (e.g., AWS EC2 IMDS). This could allow an attacker to gain unauthorized access to other cloud resources or internal systems. The vulnerable instances are self-hosted Monetr deployments running the default configuration with \u003ccode\u003eLunchFlow.Enabled=true\u003c/code\u003e and \u003ccode\u003eAllowSignUp=true\u003c/code\u003e. An attacker could also cause a denial-of-service by providing a URL that returns a very large response body, exhausting the server\u0026rsquo;s memory.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Monetr version \u003ccode\u003ev1.12.5\u003c/code\u003e or later to patch the SSRF vulnerability. This version introduces a new config field \u003ccode\u003eLunchFlow.AllowedApiUrls\u003c/code\u003e and caps response body reads at 10 MiB.\u003c/li\u003e\n\u003cli\u003eFor operators who cannot upgrade immediately, set \u003ccode\u003eMONETR_ALLOW_SIGN_UP=false\u003c/code\u003e to disable public sign-up, limiting access to the vulnerable endpoint to trusted users.\u003c/li\u003e\n\u003cli\u003eAlternatively, disable Lunch Flow entirely by setting \u003ccode\u003elunchFlow.enabled: false\u003c/code\u003e in your config file. This will cause the vulnerable endpoints to return 404.\u003c/li\u003e\n\u003cli\u003eImplement network-level egress restrictions to limit outbound HTTP traffic from the Monetr pod/container to only \u003ccode\u003elunchflow.app\u003c/code\u003e (or other legitimate Lunch Flow hosts), mitigating the SSRF primitive.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T12:00:00Z","date_published":"2024-05-02T12:00:00Z","id":"/briefs/2024-05-monetr-ssrf/","summary":"A server-side request forgery (SSRF) vulnerability in Monetr's Lunch Flow integration allows authenticated users on self-hosted instances to send HTTP GET requests to arbitrary URLs, potentially exposing sensitive information.","title":"Monetr Lunch Flow SSRF Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-05-monetr-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Monitr","version":"https://jsonfeed.org/version/1.1"}