Server-Side Request Forgery in terriajs-server

2019-05-29T20:24:02
ID GHSA-P72P-RJR2-R439
Type github
Reporter GitHub Advisory Database
Modified 2021-08-04T20:07:20

Description

Versions of terriajs-serverprior to 2.7.4 are vulnerable to Server-Side Request Forgery (SSRF). If an attacker has access to a server whitelisted by the terriajs-server proxy or if the attacker is able to modify the DNS records of a domain whitelisted by the terriajs-server proxy, the attacker can use the terriajs-server proxy to access any HTTP-accessible resources that are accessible to the server, including private resources in the hosting environment.

Recommendation

Upgrade to version 2.7.4 or later.