FireFighter 访问控制错误漏洞

FireFighter is an event management tool developed by ManoMano Tech. Versions of FireFighter prior to 0.0.54 contained an access control vulnerability. This vulnerability stemmed from the POST /api/v2/firefighter/raid/jirabot endpoint, which allowed unauthorized access without authentication...

FireFighter has unauthenticated SSRF in its Raid jira_bot endpoint that allows IAM credential theft

Impact The POST /api/v2/firefighter/raid/jirabot endpoint CreateJiraBotView is reachable without authentication permissionclasses = permissions.AllowAny. Its attachments payload is fetched server-side via httpx.get with no URL validation, then uploaded as an attachment on the Jira ticket that get...