Platform
nextjs
Component
plane
Fixed in
0.23.1
CVE-2024-47830 describes a critical Server-Side Request Forgery (SSRF) vulnerability discovered in Plane, an open-source project management tool. This flaw allows attackers to manipulate the application into making requests to arbitrary internal or external resources, potentially exposing sensitive data or facilitating further attacks. The vulnerability affects versions of Plane prior to 0.23.0 and has been resolved in that release.
The SSRF vulnerability in Plane arises from improper handling of wildcard characters in image retrieval within the /web/next.config.js file. An attacker can craft a malicious URL containing wildcards, tricking the Plane server into sending requests to unintended destinations. This could include internal services not meant to be publicly accessible, cloud metadata endpoints (e.g., AWS IMDS), or even external websites controlled by the attacker. Successful exploitation could lead to information disclosure, privilege escalation, or even remote code execution if the targeted internal service is vulnerable. The blast radius extends to any internal resources accessible from the Plane server.
CVE-2024-47830 was publicly disclosed on 2024-10-11. The vulnerability's ease of exploitation and the potential for significant impact make it a high-priority concern. No public proof-of-concept (PoC) code has been widely released, but the SSRF nature of the vulnerability makes it relatively straightforward to exploit. It is not currently listed on CISA KEV, but its CRITICAL CVSS score warrants close monitoring. Active exploitation is possible.
Exploit Status
EPSS
0.40% (61% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-47830 is to immediately upgrade Plane to version 0.23.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy with strict outbound request filtering rules to block requests to suspicious domains or IP addresses. Carefully review and restrict any outbound network access granted to the Plane application. Monitor Plane logs for unusual outbound requests that may indicate exploitation attempts. After upgrading, confirm the fix by attempting to access an internal resource via a crafted URL; the request should be blocked or denied.
Update Plane to version 0.23.0 or higher. This version fixes the Server Side Request Forgery (SSRF) vulnerability in the /_next/image endpoint. The update will prevent attackers from making requests to unintended locations from the server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-47830 is a critical SSRF vulnerability in Plane versions prior to 0.23.0, allowing attackers to make requests to unintended locations. It's a serious security risk due to its potential for data exposure and further attacks.
Yes, if you are running Plane version 0.23.0 or earlier, you are affected by this vulnerability. Immediate action is required to mitigate the risk.
Upgrade Plane to version 0.23.0 or later to resolve the SSRF vulnerability. If upgrading is not possible, implement WAF rules and restrict outbound network access.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation and potential impact suggest active exploitation is possible. Vigilance and prompt patching are crucial.
Refer to the official Plane project repository and security advisories for detailed information and updates regarding CVE-2024-47830: [https://github.com/plane-project/plane](https://github.com/plane-project/plane)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.