CVE-2026-42864— FireFighter 访问控制错误漏洞

FireFighter: Unauthenticated SSRF in Raid jira_bot endpoint allows IAM credential theft

FireFighter is an incident management application. Prior to 0.0.54, the POST /api/v2/firefighter/raid/jira_bot endpoint (CreateJiraBotView) is reachable without authentication (permission_classes = [permissions.AllowAny]). Its attachments payload is fetched server-side via httpx.get() with no URL validation, then uploaded as an attachment on the Jira ticket that gets created. An unauthenticated caller able to reach the ingress can coerce the pod into fetching arbitrary URLs and exfiltrate the response as a Jira attachment. On EC2/EKS deployments that do not enforce IMDSv2, this allows theft of the temporary AWS credentials attached to the pod's IAM role. The docstring on the view claims a Bearer token is required, but the code does not enforce it. This vulnerability is fixed in 0.0.54.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

关键功能的认证机制缺失

FireFighter 访问控制错误漏洞

FireFighter是ManoMano Tech开源的一款事件管理工具。 FireFighter 0.0.54之前版本存在访问控制错误漏洞，该漏洞源于POST /api/v2/firefighter/raid/jira_bot端点无需认证即可访问，且attachments有效载荷通过httpx.get无URL验证获取，可能导致未认证调用者强制Pod获取任意URL并将响应作为Jira附件泄露。

N/A

N/A