Plane Project Management Tool Patches Critical SSRF Flaw – CVE-2024-47830 (CVSS 9.3)

by do son · October 13, 2024

project management tool - CVE-2024-47830

A critical security vulnerability has been discovered and patched in Plane, a popular open-source project management tool. The vulnerability, identified as CVE-2024-47830 and assigned a CVSS score of 9.3, could allow attackers to exploit the server-side to make requests to unintended locations, potentially leading to unauthorized access to internal services and sensitive data leakage.

Security researcher Sim4n6 discovered the vulnerability within Plane’s image handling configuration. Specifically, the use of wildcard support in the remotePatterns setting within the file web/next.config.js permits any hostname to be used when retrieving images, as demonstrated in the following code snippet:

  images: {
    remotePatterns: [
      {
        protocol: "https",
        hostname: "**",
      },
    ],

This design flaw could be exploited by attackers to trick the server into making requests to arbitrary locations. In a proof-of-concept (PoC) example provided by Sim4n6, a payload sent to Plane’s image processing endpoint could induce the server to issue a GET request to a malicious hostname. For instance, the following URL would trigger the vulnerability:

https://plane.so/_next/image?url=https%3A%2F%2F3dj9lr9c.c5.rs%2F%3F%23_next%2Fstatic%2Fmedia%2Fplane-logo-with-text.31443952.png&w=384&q=75

This would result in the server initiating an unintended request, allowing the attacker to interact with internal services.

The impact of this vulnerability is significant, as it could allow attackers to:

Unauthorized Access: Attackers could gain access to internal services that are normally protected and inaccessible from the outside.
Sensitive Information Leakage: Internal services, which may contain confidential or sensitive data, could be exposed through the vulnerability.
System Manipulation: Malicious actors could interact with internal APIs, leading to data tampering or system manipulation.
Port Scanning: Attackers could use the SSRF vulnerability to scan for open ports and discover other vulnerable services within the internal network.

The CVE-2024-47830 vulnerability affects all versions of Plane prior to v0.23. The Plane development team has addressed this issue in version v0.23, and users are strongly urged to update their installations immediately.