Impact
A user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration validation, Weblate makes an HTTP request to the attacker-controlled URL and reflects up to 200 characters of the response body back to the user in an error message. This constitutes a Server-Side Request Forgery (SSRF) with partial response read.
Patches
- #18684
- The solution then has been cleaned up in followup patches
Workarounds
Limiting available machinery services via WEBLATE_MACHINERY setting can avoid this.
References
Thanks to @DavidCarliez for disclosing this via GitHub private vulnerability reporting.
DavidCarliez Reporter
nijel Remediation developer
amCap1712 Remediation reviewer
Impact
A user with the
project.editpermission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration validation, Weblate makes an HTTP request to the attacker-controlled URL and reflects up to 200 characters of the response body back to the user in an error message. This constitutes a Server-Side Request Forgery (SSRF) with partial response read.Patches
Workarounds
Limiting available machinery services via WEBLATE_MACHINERY setting can avoid this.
References
Thanks to @DavidCarliez for disclosing this via GitHub private vulnerability reporting.