Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address. References: https://github.com/axios/axios/issues/3369 https://snyk.io/vuln/SNYK-JS-AXIOS-1038255
External References: https://snyk.io/vuln/SNYK-JS-AXIOS-1038255
Statement: Whilst in OpenShift Container Platform (OCP) the openshift4/ose-console container does include the vulnerable axios library, it does not use the vulnerable proxy functionality. Additionally, the console is behind OpenShift OAuth restricting access to authenticated users only and as such has been marked as Low impact. The OpenShift Service Mesh (OSSM) kiali component also includes the vulnerable axios library. Similar to OCP, kiali does not make use of the proxy function and is behind OpenShift OAuth reducing the impact Low.
For the grafana containers in OpenShift and Service Mesh, axios is included only as a dev dependency: "devDependencies": { .... "axios": "0.19.2", and in grafana toolkit, yarn why axios: => Found "axios.2" info Has been hoisted to "axios" info Reasons this module exists - "workspace-aggregator-d137911f-b3b8-48ba-a924-5b580d8a5509" depends on it - Specified in "devDependencies" - Hoisted from "_project_#axios" - Hoisted from "_project_#@grafana#toolkit#axios" info Disk size without dependencies: "488KB" info Disk size with unique dependencies: "636KB" info Disk size with transitive dependencies: "760KB" info Number of shared dependencies: 3 => Found "@chromaui/localtunnel#axios.0" info This module exists because "_project_#@grafana#ui#@storybook#addon-actions#react-inspector#storybook- chromatic#@chromaui#localtunnel" depends on it. Done in 1.84s. Confirmed also looking at the grafana container itself.
The openshift3/ose-web-console does not include the axios dependency at all, only found in openshift4/ose-console in 4.6+, but still does not use the vulnerable function, but calls the proxy url directly not utilizing the proxy function of axios. For example: method: 'POST', url: CDI_UPLOAD_URL_BUILDER(uploadProxyURL), data: form, cancelToken: cancelSource.token, Instead of using "proxy: { host: , port: } "
Mitigation: A mitigation exists where by catching the error code returned by axios.request, it can be identified that there is a redirect. By updating the old request config with the new redirect path, the request can then be repeated with the traffic routed through the proxy. As identified by Marika in this GitHub comment: https://github.com/axios/axios/issues/3369#issuecomment-721748989.