A high-severity information leakage vulnerability has been identified in multiple Librarian products. This flaw allows an attacker to force the affected system to access arbitrary external websites, effectively turning the organization's server into a proxy for malicious activity. This could lead to the exposure of internal data or be used to disguise attacks launched from the organization's network infrastructure.

The vulnerability exists within the web_fetch tool, which fails to properly validate user-supplied URLs. This flaw can be exploited as a Server-Side Request Forgery (SSRF) attack. An attacker can provide a specially crafted URL to a function that utilizes the web_fetch tool, causing the Librarian server to make a web request to an arbitrary domain or internal IP address on behalf of the attacker. The content retrieved from this request may be returned to the attacker, leading to information leakage, or simply used to proxy malicious traffic through the trusted server.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could have significant business impacts, including reputational damage if the organization's infrastructure is used to attack other entities. An attacker could leverage this vulnerability to scan the internal network from the perspective of the compromised server, potentially identifying and accessing sensitive internal services not exposed to the internet. Furthermore, this could lead to the leakage of confidential information, including cloud service metadata, internal source code, or other sensitive data accessible from the server.

Immediate Action: Apply the security updates provided by the vendor to all affected Librarian products without delay. After patching, review application and network logs for any signs of exploitation, such as unusual outbound requests originating from the Librarian servers.

Proactive Monitoring: Monitor application logs for any calls to the web_fetch tool that include suspicious URLs, particularly those pointing to non-standard ports, internal IP addresses (e.g., 127.0.0.1, 10.0.0.0/8, 192.168.0.0/16), or known malicious domains. Monitor outbound network traffic from Librarian servers for connections to unexpected destinations.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Egress Filtering: Use a firewall to strictly limit outbound network connections from the Librarian servers to only known and required destinations.
• Web Application Firewall (WAF): Deploy a WAF with rules designed to detect and block SSRF attack patterns in requests sent to the application.
• Network Segmentation: Ensure the affected servers are properly segmented from critical internal network resources to limit the potential impact of a successful exploit.

Public Exploit Available: false

Given the High severity rating (CVSS 7.5) and the potential for this vulnerability to be used as a pivot point into the internal network, we recommend that organizations prioritize the immediate application of vendor-supplied patches. Although this vulnerability is not currently listed on the CISA KEV catalog, the risk of exploitation is significant. If patching cannot be performed immediately, the compensating controls outlined above, especially egress filtering, should be implemented as an urgent temporary measure.