Hyland Alfresco Transformation Service SSRF

该 SSRF 漏洞允许未经身份验证的攻击者利用 Alfresco Transformation Service 的文档处理功能，向内部网络或外部服务器发起请求。攻击者可以利用此漏洞读取内部敏感文件，访问内部服务，甚至可能执行代码。攻击的影响范围取决于内部网络的配置和暴露的服务。如果内部服务存在其他漏洞，攻击者可能进一步利用 SSRF 漏洞进行横向移动，扩大攻击范围。此漏洞的潜在影响类似于其他SSRF漏洞，可能导致数据泄露、服务中断和系统控制权被盗。

Organizations utilizing Alfresco Transformation Service for document processing, particularly those with internal systems accessible from the internet or those using shared hosting environments, are at significant risk. Legacy configurations that allow unrestricted outbound network access are especially vulnerable.

• java / server: Monitor Alfresco Transformation Service logs for unusual outbound requests, particularly those targeting internal IP addresses or sensitive services. Use Java profiling tools to identify suspicious network activity originating from the Transformation Service process.

# Example: Grepping for requests to internal IPs
grep '192\.168\.' /var/log/alfresco/transformation-service.log

• generic web: Use a WAF to monitor and block outbound requests from the Alfresco Transformation Service to unexpected or sensitive destinations. Examine access logs for patterns indicative of SSRF attempts. • database (mysql, redis, mongodb, postgresql): While not directly applicable, monitor database connections originating from the Transformation Service for unusual activity.

1. 2026-02-19Disclosure

   disclosure

1. 已保留2026-02-13
2. 发布日期2026-02-19
3. 修改日期2026-03-02
4. EPSS 更新日期2026-03-23

最有效的缓解措施是升级至 Alfresco Transformation Service 5.3.0 或更高版本，该版本已修复此漏洞。如果无法立即升级，可以考虑以下临时缓解措施：限制 Transformation Service 的网络访问权限，仅允许其访问必要的内部资源。实施严格的输入验证，防止攻击者构造恶意的请求。使用 Web 应用防火墙 (WAF) 过滤掉可疑的请求，阻止 SSRF 攻击。监控 Transformation Service 的日志，检测异常活动。升级后，请验证服务是否正常运行，并确认漏洞已成功修复。