CVE-2023-35817
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in DevExpress AsyncDownloader components. Attackers can exploit this to make the server send unauthorized requests to internal or external systems. Organizations using affected DevExpress versions before 23.1.3 are vulnerable.
💻 Affected Systems
- DevExpress Reporting
- DevExpress BI Dashboard
- DevExpress Office File API
📦 What is this software?
Devexpress by Devexpress
Devexpress by Devexpress
Devexpress by Devexpress
Devexpress by Devexpress
⚠️ Risk & Real-World Impact
Worst Case
Complete internal network compromise via chained attacks, data exfiltration, or lateral movement to critical systems.
Likely Case
Unauthorized access to internal services, metadata harvesting, or limited data exposure from accessible endpoints.
If Mitigated
Contained impact with only publicly accessible endpoints reachable, minimal data exposure.
🎯 Exploit Status
SSRF vulnerabilities are commonly exploited and require minimal technical skill when details are public.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 23.1.3 and later
Vendor Advisory: https://supportcenter.devexpress.com/ticket/details/t394936/devexpress-security-advisory-updated-on-april-27-2023
Restart Required: Yes
Instructions:
1. Update all DevExpress components to version 23.1.3 or later. 2. Redeploy affected applications. 3. Restart application servers. 4. Verify configuration changes are applied.
🔧 Temporary Workarounds
Restrict AsyncDownloader URLs
allConfigure URL validation to only allow trusted domains in AsyncDownloader settings.
Modify web.config or appsettings.json to set allowed domains for AsyncDownloader
Disable AsyncDownloader
allTemporarily disable AsyncDownloader functionality if not required.
Set AsyncDownloader.Enabled = false in application configuration
🧯 If You Can't Patch
- Implement network segmentation to restrict server outbound connections
- Deploy web application firewall with SSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Check DevExpress assembly versions in your application - if any are below 23.1.3, you are vulnerable.Check Version:
Check assembly properties or use: Get-ChildItem -Path . -Filter *.dll -Recurse | Select-Object Name, @{Name='Version';Expression={$_.VersionInfo.FileVersion}} | Where-Object {$_.Name -like '*DevExpress*'}Verify Fix Applied:
Confirm all DevExpress assemblies are version 23.1.3 or higher and test AsyncDownloader functionality with restricted URLs.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from application server
- Requests to internal IP addresses from web application
- Failed URL validation attempts in AsyncDownloader logs
Network Indicators:
- HTTP requests from application server to unexpected internal services
- Outbound connections to unusual ports from web server
SIEM Query:
source="web_server_logs" AND (url CONTAINS "AsyncDownloader" OR user_agent CONTAINS "DevExpress") AND (dest_ip IN private_ip_ranges OR dest_port NOT IN [80,443])🔗 References
- https://code-white.com/public-vulnerability-list/
- https://supportcenter.devexpress.com/ticket/details/t1157209/server-side-request-forgery-via-asyncdownloader
- https://supportcenter.devexpress.com/ticket/details/t1161404/report-and-dashboard-server-improper-default-configuration-can-lead-to-ssrf-attacks
- https://supportcenter.devexpress.com/ticket/details/t1162045/reporting-bi-dashboard-office-file-api-web-app-configuration-to-help-prevent-ssrf-attacks
- https://supportcenter.devexpress.com/ticket/details/t394936/devexpress-security-advisory-updated-on-april-27-2023
