CVE-2021-27670
📋 TL;DR
CVE-2021-27670 is a Server-Side Request Forgery (SSRF) vulnerability in Appspace 6.2.4 that allows attackers to make unauthorized requests from the vulnerable server to internal or external systems. This affects all Appspace 6.2.4 deployments with the vulnerable API endpoint exposed. Attackers can exploit this to access internal services, perform port scanning, or potentially access cloud metadata services.
💻 Affected Systems
- Appspace
📦 What is this software?
Appspace by Appspace
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of internal network services, access to cloud instance metadata leading to credential theft, and potential data exfiltration from internal systems.
Likely Case
Internal network reconnaissance, access to internal web services, and potential data leakage from internal APIs.
If Mitigated
Limited impact with proper network segmentation and egress filtering, though some internal service enumeration may still be possible.
🎯 Exploit Status
Multiple public proof-of-concept scripts exist, and exploitation requires only HTTP requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.2.5 and later
Vendor Advisory: https://www.appspace.com/support/security-advisories/
Restart Required: Yes
Instructions:
1. Backup current Appspace configuration. 2. Download Appspace 6.2.5 or later from vendor portal. 3. Follow Appspace upgrade documentation. 4. Verify the /api/v1/core/proxy/jsonprequest endpoint is no longer vulnerable.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock or restrict access to the vulnerable API endpoint
WAF rule: Block requests to /api/v1/core/proxy/jsonprequest with suspicious URL parameters
Network Segmentation
allRestrict outbound network access from Appspace servers
Firewall rules to limit Appspace server egress to only required destinations
🧯 If You Can't Patch
- Implement strict network egress filtering to prevent Appspace servers from accessing internal services
- Deploy a WAF with SSRF protection rules in front of Appspace
🔍 How to Verify
Check if Vulnerable:
Test if /api/v1/core/proxy/jsonprequest endpoint accepts external URL parameters and makes requests to internal IPs (e.g., http://169.254.169.254 for AWS metadata)Check Version:
Check Appspace admin interface or configuration files for version numberVerify Fix Applied:
Verify the endpoint no longer processes arbitrary URL parameters or returns error messages for SSRF attempts📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /api/v1/core/proxy/jsonprequest with URL parameters pointing to internal IPs or unusual domains
- Outbound connections from Appspace server to unexpected internal services
Network Indicators:
- Appspace server making HTTP requests to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x) or cloud metadata endpoints
SIEM Query:
source="appspace_logs" AND uri="/api/v1/core/proxy/jsonprequest" AND (url_param CONTAINS "169.254.169.254" OR url_param CONTAINS "10." OR url_param CONTAINS "192.168.")