GMS-2019-59: Server-Side Request Forgery in terriajs-server

May 29, 2019 (updated August 4, 2021)

Versions of terriajs-server are vulnerable to Server-Side Request Forgery (SSRF). If an attacker has access to a server allow listed by the terriajs-server proxy or if the attacker is able to modify the DNS records of a domain allow listed by the terriajs-server proxy, the attacker can use the terriajs-server proxy to access any HTTP-accessible resources that are accessible to the server, including private resources in the hosting environment. Upgrade to or later.

References

github.com/TerriaJS/terriajs-server/commit/3cbc48475f50a53962f605491d0e60648a29bdf0
github.com/advisories/GHSA-p72p-rjr2-r439
medium.com/terria/security-vulnerability-in-terriajs-server-82c8bf4da0a5
www.npmjs.com/advisories/768

Code Behaviors & Features

Detect and mitigate GMS-2019-59 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →