CVE-2026-42864
FireFighter has unauthenticated SSRF in its Raid jira_bot endpoint that allows IAM credential theft
描述
### Impact The `POST /api/v2/firefighter/raid/jira_bot` endpoint (`CreateJiraBotView`) is reachable without authentication (`permission_classes = [permissions.AllowAny]`). Its `attachments` payload is fetched server-side via `httpx.get()` with no URL validation, then uploaded as an attachment on the Jira ticket that gets created. An unauthenticated caller able to reach the ingress can coerce the pod into fetching arbitrary URLs — including the cloud metadata endpoint at `http://169.254.169.254/` — and exfiltrate the response as a Jira attachment. On EC2/EKS deployments that do not enforce IMDSv2, this allows theft of the temporary AWS credentials attached to the pod's IAM role. The docstring on the view claims a Bearer token is required, but the code does not enforce it. Affected code paths: - `src/firefighter/raid/views/__init__.py` — `CreateJiraBotView` - `src/firefighter/raid/serializers.py` — `LandbotIssueRequestSerializer.attachments` - `src/firefighter/raid/client.py` — `RaidJiraClient.add_attachments_to_issue` ### Patches Fixed in `firefighter-incident` `0.0.54`: - `CreateJiraBotView` now enforces `BearerTokenAuthentication` + `IsAuthenticated`. - `attachments` URLs are validated: http(s) scheme only, max 10 URLs, rejection of any host resolving to a private, loopback, link-local, reserved, multicast or unspecified IP (IPv4 and IPv6). - Fixes an unrelated `KeyError('attachments')` surfaced during regression testing. Users should upgrade to `0.0.54` or later. ### Workarounds Until upgrade is possible, any one of the following blocks end-to-end exploitation: - Restrict ingress access to `/api/v2/firefighter/raid/jira_bot` to trusted networks only (VPN, internal load balancer). - Rotate or revoke the Jira API token configured as `RAID_JIRA_API_PASSWORD`; this breaks `jira.create_issue()` before the vulnerable attachment fetch is reached (legitimate traffic is also blocked — emergency mitigation only). - Enforce IMDSv2 with `HttpPutResponseHopLimit=1` on EC2/EKS nodes. This does not fix the SSRF itself but neutralises the IAM-credential-theft path. ### Resources - CWE-918: Server-Side Request Forgery - CWE-306: Missing Authentication for Critical Function
如何修補 CVE-2026-42864
要修補 CVE-2026-42864,請將受影響套件升級到下列已修補版本。
- —升級至 0.0.54 或更新版本