Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment.
Version 2.2.1 patches the issue.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
None
No data modification
Availability
Low
Partial disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Vikunja Vikunja
cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
|
— |
2.2.1
|
References 3
https://github.com/go-vikunja/vikunja/commit/93297742236e3d33af72c993e5da960db0…
security-advisories@github.com
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g66v-54v9-52pr
security-advisories@github.com
https://vikunja.io/changelog/vikunja-v2.2.2-was-released
security-advisories@github.com