CVE-2024-22205 Overview
CVE-2024-22205 is a Server-Side Request Forgery (SSRF) vulnerability affecting Whoogle Search, a self-hosted metasearch engine. The vulnerability exists in the window endpoint, which fails to sanitize user-supplied input from the location variable before passing it to the send method in request.py. This allows attackers to craft GET requests to internal and external resources on behalf of the server, potentially accessing resources on internal networks that would otherwise be inaccessible from the internet.
Critical Impact
This SSRF vulnerability allows unauthenticated remote attackers to make arbitrary HTTP GET requests from the server, enabling access to internal network resources and potential data exfiltration.
Affected Products
- Benbusby Whoogle Search versions 0.8.3 and prior
- Self-hosted Whoogle Search instances running vulnerable versions
Discovery Timeline
- January 23, 2024 - CVE-2024-22205 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2024-22205
Vulnerability Analysis
This Server-Side Request Forgery (SSRF) vulnerability allows attackers to abuse the Whoogle Search server to make HTTP GET requests to arbitrary destinations. The flaw exists because the window endpoint in routes.py accepts user-controlled input through the location parameter without proper validation or sanitization. This input is then passed directly to the send method in request.py (lines 339-343), which executes the HTTP request on behalf of the server.
The impact of this vulnerability is significant for organizations using Whoogle Search, as it enables attackers to probe internal network infrastructure, access internal services, and potentially exfiltrate sensitive data from systems that are not directly accessible from the internet.
Root Cause
The root cause of CVE-2024-22205 is improper input validation (CWE-918: Server-Side Request Forgery). The window endpoint accepts the location parameter directly from user input without implementing proper URL validation, allowlisting, or sanitization controls. This design flaw allows attackers to specify arbitrary URLs, including internal network addresses and localhost services.
Attack Vector
The vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker can send a crafted HTTP request to the vulnerable window endpoint with a malicious location parameter pointing to internal resources. The server will then make a GET request to the specified URL and potentially return the response to the attacker.
The attack flow involves the vulnerable code path in routes.py at line 479, which passes user input to the request handling code in request.py. For detailed technical analysis, refer to the GitHub Security Advisory and the vulnerable code in request.py.
Detection Methods for CVE-2024-22205
Indicators of Compromise
- Unusual outbound HTTP GET requests from the Whoogle Search server to internal network addresses (e.g., 127.0.0.1, 10.x.x.x, 192.168.x.x, 172.16.x.x)
- Requests to the /window endpoint with suspicious location parameter values containing internal IP addresses or cloud metadata endpoints
- Server logs showing connections to unexpected internal services or infrastructure endpoints
- Anomalous traffic patterns from the Whoogle Search server to AWS metadata service (169.254.169.254) or similar cloud provider endpoints
Detection Strategies
- Monitor web application firewall (WAF) logs for requests to the /window endpoint containing IP addresses or internal hostnames in the location parameter
- Implement network segmentation monitoring to detect unexpected outbound connections from the Whoogle Search server
- Deploy intrusion detection rules to alert on SSRF attack patterns targeting the vulnerable endpoint
- Review Whoogle Search access logs for requests with URL-encoded internal addresses or localhost references
Monitoring Recommendations
- Configure network monitoring to alert on outbound connections from the Whoogle Search server to RFC 1918 private address ranges
- Enable detailed access logging for the Whoogle Search application to capture all requests to the /window endpoint
- Implement DNS logging to detect requests for internal hostnames originating from the Whoogle Search server
- Set up alerts for connections to cloud metadata endpoints from the Whoogle Search server
How to Mitigate CVE-2024-22205
Immediate Actions Required
- Upgrade Whoogle Search to version 0.8.4 or later immediately
- Review server logs for evidence of exploitation attempts targeting the /window endpoint
- Audit network access controls to ensure the Whoogle Search server has minimal access to internal resources
- Consider implementing network-level egress filtering to restrict outbound connections from the Whoogle Search server
Patch Information
The vulnerability has been addressed in Whoogle Search version 0.8.4. The fix involves proper validation and sanitization of the location parameter before processing. The patch can be reviewed in the official commit.
Organizations should update their Whoogle Search installations by pulling the latest version from the official repository or container registry.
Workarounds
- Implement a web application firewall (WAF) rule to block requests to the /window endpoint containing internal IP addresses or suspicious URL patterns
- Deploy network-level egress filtering to prevent the Whoogle Search server from connecting to internal network resources
- Place the Whoogle Search server in a network segment with restricted access to sensitive internal services
- Temporarily disable or restrict access to the /window endpoint if immediate patching is not possible
# Example: Update Whoogle Search using Docker
docker pull benbusby/whoogle-search:latest
docker stop whoogle
docker rm whoogle
docker run --name whoogle -p 5000:5000 -d benbusby/whoogle-search:latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
