| Field | Value |
|---|---|
| Product | ContiNew Admin |
| Vendor | Charles7c Authors |
| Affected Versions | ≤ 4.2.0-SNAPSHOT (all versions with S3 storage feature) |
| Vulnerability Type | CWE-918: Server-Side Request Forgery (SSRF) |
| CVSS 3.1 Score | 5.7 (MEDIUM) |
| Attack Complexity | Low |
| Privileges Required | High (Administrator) |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | None |
| Availability Impact | None |
A Server-Side Request Forgery (SSRF) vulnerability exists in ContiNew Admin’s storage management module. The application allows administrators to configure S3-compatible object storage endpoints without properly validating whether the endpoint points to internal network addresses or cloud metadata services.
The vulnerability is located in S3ClientFactory.java where user-supplied endpoint URLs are directly passed to URI.create() and used to establish HTTP connections via AWS SDK’s S3Client, without any internal IP address or sensitive URL blacklist validation.
Repo: https://github.com/continew-org/continew-admin
| File Path | Line | Description |
|---|---|---|
continew-system/src/main/java/top/continew/admin/system/factory/S3ClientFactory.java |
50 | SSRF injection point |
continew-system/src/main/java/top/continew/admin/system/model/req/StorageReq.java |
90-94 | Insufficient URL validation |
continew-admin-common/src/main/java/top/continew/admin/common/constant/RegexConstants.java |
65 | Weak URL regex pattern |
S3ClientFactory.java (Line 43-55):
public S3Client getClient(StorageDO storage) {
String key = storage.getEndpoint() + "|" + storage.getAccessKey();
return CLIENT_CACHE.computeIfAbsent(key, k -> {
StaticCredentialsProvider auth = StaticCredentialsProvider.create(
AwsBasicCredentials.create(storage.getAccessKey(), storage.getSecretKey()));
return S3Client.builder()
.credentialsProvider(auth)
.endpointOverride(URI.create(storage.getEndpoint())) // VULNERABLE: No validation
.region(Region.US_EAST_1)
.serviceConfiguration(S3Configuration.builder()
.chunkedEncodingEnabled(false).build())
.build();
});
}
StorageReq.java (Line 90-94) - Insufficient Validation:
@Schema(description = "Endpoint", example = "<http://oss-cn-shanghai.aliyuncs.com>")
@Length(max = 255, message = "Endpoint长度不能超过 {max} 个字符")
@NotBlank(message = "Endpoint不能为空", groups = ValidationGroup.Storage.OSS.class)
@Pattern(regexp = RegexConstants.URL_HTTP, message = "Endpoint格式不正确",
groups = ValidationGroup.Storage.OSS.class)
private String endpoint;
RegexConstants.java (Line 65) - Weak Pattern:
// Only validates HTTP format, does NOT block internal IPs
public static final String URL_HTTP = "^(https?)://[\\\\w-+&@#/%?=~_|!:,.;]*[\\\\w-+&@#/%=~_|]$";
| Security Check | Status | Description |
|---|---|---|
| HTTP/HTTPS Protocol | ✅ Implemented | Regex requires http:// or https:// |
| URL Length Limit | ✅ Implemented | Max 255 characters |
| Internal IP Blocking | ❌ Missing | No blacklist for 10.x, 172.16-31.x, 192.168.x |
| Loopback Blocking | ❌ Missing | No blacklist for 127.0.0.0/8 |
| Link-Local Blocking | ❌ Missing | No blacklist for 169.254.0.0/16 |
| Cloud Metadata Blocking | ❌ Missing | No blacklist for metadata endpoints |
| DNS Rebinding Protection | ❌ Missing | No TOCTOU protection |
| URL Redirect Following | ⚠️ N/A | AWS SDK handles redirects |