CVE-2024-5328 Overview
A Server-Side Request Forgery (SSRF) vulnerability exists in the lunary-ai/lunary application, specifically within the endpoint /auth/saml/tto/download-idp-xml. The vulnerability arises due to the application's failure to validate user-supplied URLs before using them in server-side requests. An attacker can exploit this vulnerability by sending a specially crafted request to the affected endpoint, allowing them to make unauthorized requests to internal or external resources. This could lead to the disclosure of sensitive information, service disruption, or further attacks against the network infrastructure.
Critical Impact
This SSRF vulnerability allows unauthenticated attackers to make unauthorized requests to internal services and external resources, potentially exposing sensitive internal data and enabling further network attacks.
Affected Products
- Lunary (all versions as of the vulnerability report)
- lunary-ai/lunary application with SAML authentication enabled
Discovery Timeline
- 2024-06-06 - CVE-2024-5328 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-5328
Vulnerability Analysis
This Server-Side Request Forgery (SSRF) vulnerability exists in the SAML authentication flow of the Lunary application. The vulnerable endpoint /auth/saml/tto/download-idp-xml is designed to download Identity Provider (IdP) metadata XML files during SAML configuration. However, the application fails to properly validate or sanitize the URL parameter supplied by users before making server-side HTTP requests.
The lack of URL validation allows attackers to abuse the server as a proxy to reach internal services that would otherwise be inaccessible from external networks. This includes internal APIs, cloud metadata services (such as AWS EC2 metadata at 169.254.169.254), internal databases, and other backend infrastructure components.
Root Cause
The root cause of this vulnerability is improper input validation (CWE-918). The application accepts user-controlled URL input and directly uses it to make server-side HTTP requests without implementing necessary security controls such as:
- URL scheme validation (allowing only HTTPS)
- Domain allowlisting for trusted IdP providers
- Blocking of private IP ranges and localhost addresses
- Blocking of cloud metadata service endpoints
Attack Vector
The vulnerability is exploitable over the network without authentication. An attacker can craft a malicious request to the /auth/saml/tto/download-idp-xml endpoint, substituting the legitimate IdP URL with an internal resource URL or external target of their choosing. The server then makes the request on behalf of the attacker and returns the response, effectively bypassing network segmentation and firewall controls.
The attack can be used to:
- Access internal services and APIs not exposed to the internet
- Retrieve cloud metadata credentials (AWS, GCP, Azure)
- Scan internal network ports and services
- Exfiltrate sensitive configuration data
- Potentially pivot to further attacks within the internal network
Detection Methods for CVE-2024-5328
Indicators of Compromise
- Unusual outbound HTTP requests from the Lunary application server to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints (169.254.169.254) originating from the application
- Abnormal access patterns to the /auth/saml/tto/download-idp-xml endpoint
- HTTP requests with localhost or internal hostnames as URL parameters in SAML configuration endpoints
Detection Strategies
- Monitor web application logs for requests to /auth/saml/tto/download-idp-xml with suspicious URL parameters containing internal IP addresses or non-standard domains
- Implement network-level monitoring to detect outbound connections from the Lunary server to internal infrastructure or cloud metadata services
- Configure WAF rules to detect SSRF patterns in URL parameters, including private IP ranges and metadata service addresses
- Review authentication logs for anomalous SAML configuration attempts
Monitoring Recommendations
- Enable detailed logging for all SAML-related endpoints in the Lunary application
- Set up alerts for any requests to the vulnerable endpoint containing URLs pointing to private IP ranges or localhost
- Monitor DNS queries from the application server for resolution of internal hostnames or suspicious external domains
- Implement egress filtering and log all outbound connections from the application server
How to Mitigate CVE-2024-5328
Immediate Actions Required
- Restrict access to the /auth/saml/tto/download-idp-xml endpoint to authenticated administrators only
- Implement network-level egress filtering to prevent the application server from making requests to internal IP ranges
- Consider disabling SAML authentication temporarily if not required until a patch is available
- Apply Web Application Firewall (WAF) rules to block requests with suspicious URL parameters
Patch Information
Users should monitor the lunary-ai/lunary GitHub repository and official channels for security updates addressing this SSRF vulnerability. For detailed information about this vulnerability, see the Huntr Bug Bounty Report.
Workarounds
- Implement a reverse proxy or WAF in front of the Lunary application that validates and filters URL parameters before they reach the application
- Configure firewall rules to block outbound connections from the Lunary application server to internal network ranges (RFC 1918 addresses) and cloud metadata services
- Deploy network segmentation to isolate the Lunary application from sensitive internal services
- If SAML is required, manually configure IdP metadata rather than using the automatic download feature
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
