External risk intelligence

REBUILD 3.5 SSRF Vulnerability Allows Information Disclosure and Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2024-25294

REBUILD is a low-code/application development platform typically deployed as a web-based application or service. As a web application accessible via URL parameters to fetch data, it functions as an internet-facing service, making the vulnerable file download and proxy functionality exposed to remote users in common deployment patterns.

Server-Side Request Forgery

Getrebuild Rebuild

3.5.0

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in the REBUILD platform, specifically related to its file downloading functionality, could allow unauthorized remote access to sensitive information and the execution of arbitrary code. This issue affects version 3.5 of the software.

  • Remote attackers can access sensitive data.
  • It affects a platform used for application development.
  • Confirm relevance and potential exposure to sensitive data.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted requests to a vulnerable instance of the REBUILD application. This would leverage the FileDownloader.java component, specifically its proxyDownload functionality, to interact with external resources. By manipulating the URL parameters, an attacker could trick the application into downloading content from unintended locations, potentially leading to the disclosure of sensitive information or the execution of arbitrary code.

  • No authentication required.
  • Crafted URL parameters trigger download.
  • Risks sensitive data exposure and code execution.

Live Threat

Current exploitation, exposure, and threat context

A server-side request forgery (SSRF) vulnerability in REBUILD's FileDownloader.java could allow an unauthenticated remote attacker to access sensitive information and execute arbitrary code. This occurs when an attacker manipulates the `URL` parameters within the `proxyDownload` functionality. The impact is dependent on the specific configurations and network access granted to the REBUILD service.

  • Sensitive information exposure.
  • Malicious URLs could be fetched.
  • Arbitrary code execution is possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

Security teams and application owners for REBUILD should prioritize understanding the scope of this SSRF vulnerability within their environments. The immediate first step involves identifying all instances of REBUILD, assessing their external reachability, and determining their criticality to business operations to inform risk-based remediation planning.

  • Application owners to manage remediation.
  • Verify external reachability and business criticality.
  • Coordinate vendor engagement for updates.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the REBUILD software platform?

REBUILD is a low-code application development platform designed to help teams build and manage web-based services. Because it is often deployed as a web application that facilitates data fetching and file management, it typically functions as a central service for internal or external business processes.

What does CWE-918 mean for CVE-2024-25294?

This CVE involves a Server-Side Request Forgery (SSRF) vulnerability, categorized as CWE-918. It means an attacker can force the REBUILD server to make unauthorized network requests on their behalf. By manipulating specific URL parameters, the application is tricked into accessing internal resources or executing unintended code, bypassing standard security controls.

How is this SSRF vulnerability triggered?

An attacker triggers this flaw by sending a specially crafted request to the proxyDownload function within the application's file downloading component. This does not require any user authentication or login to perform. Note that simply browsing the application or viewing standard pages does not trigger the vulnerability; it requires specific manipulation of the underlying URL parameters.

Is my REBUILD instance at risk?

Halo Surface Signal indicates that REBUILD is often deployed as an internet-facing service, which significantly increases risk. If your instance is accessible from the public internet, it is more likely to be reached by remote attackers. You should assess whether your specific deployment makes this functionality reachable from outside your private network.

What should I do if I run REBUILD 3.5?

Your first step is to locate all active instances of the REBUILD platform within your environment. Once identified, evaluate whether these instances are exposed to the internet or restricted to internal users. Engage with your vendor or check official support channels to determine if patches are available to secure the file downloading component.

References