Can you explain this vulnerability to me?

This vulnerability exists in Dozzle, a realtime log viewer for Docker containers, in versions prior to 10.5.2. In a default deployment without authentication configured, the POST endpoint /api/notifications/test-webhook can be accessed without any authentication.

An attacker can supply a URL to this endpoint, which the application then forwards to a WebhookDispatcher. This dispatcher sends an HTTP POST request to the attacker-controlled URL, including attacker-controlled request headers.

If the target URL responds with a non-2xx status code, the application returns both the response status code and up to 1MB of the response body back to the attacker.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can be exploited by an attacker to perform server-side request forgery (SSRF), allowing them to make the Dozzle server send HTTP POST requests to arbitrary URLs with attacker-controlled headers.

The attacker can receive detailed responses including status codes and up to 1MB of response data from the targeted URLs, potentially exposing sensitive internal services or data.

Because the endpoint is accessible without authentication, this can be exploited remotely and without any privileges, increasing the risk of information disclosure or further attacks on internal networks.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Dozzle to version 10.5.2 or later, where the issue is fixed.

Additionally, avoid using the default deployment without authentication (i.e., do not leave DOZZLE_AUTH_PROVIDER unset) to prevent unauthorized access to the /api/notifications/test-webhook endpoint.

Useful 0 Not Useful 0